Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you have an Azure Kubernetes Service (AKS) cluster in one Microsoft Entra tenant, and an Azure container registry in a different tenant, you can configure cross-tenant authentication to enable the AKS cluster to pull images from the container registry. This article walks through the steps to enable cross-tenant authentication by using the AKS service principal credential to pull from the container registry.
In this article, we refer to the tenant containing the AKS cluster as Tenant A, and the tenant containing the Azure container registry as Tenant B.
The high-level steps to enable cross-tenant authentication are:
Create a new multitenant app (service principal) in Tenant A.
Provision the app in Tenant B.
Configure the service principal to pull from the registry in Tenant B.
Update the AKS cluster in Tenant A to authenticate by using the new service principal.
Note
When the cluster and the container registry are in different tenants, you can't use an AKS managed identity to attach the registry and authenticate.
Prerequisites
The AKS cluster must be configured with service principal authentication in Tenant A.
You need at least the Contributor role for the AKS cluster's subscription. You also need the Role Based Access Control Administrator and Container Registry Contributor and Data Access Configuration Administrator roles in the container registry's subscription (or roles with an equivalent or greater level of access).
Create a multitenant Microsoft Entra application
Sign in to the Azure portal in Tenant A.
Search for and select Microsoft Entra ID.
In the service menu, under Manage, select App registrations.
Select + New registration, and then complete the following steps:
- Enter a name for the application.
- In Supported account types, select Accounts in any organizational directory.
- In Redirect URI, select Web for Platform and enter
https://www.microsoft.com. - Select Register.
On the Overview page, take note of the Application (client) ID. You'll need this ID later.
In the service menu, under Manage, select Certificates & secrets.
In the Client secrets section, select + New client secret.
Enter a Description such as Password, and then select Add.
In Client secrets, take note of the value of the client secret. You'll use this value to update the AKS cluster's service principal.
Provision the service principal in the ACR tenant
Edit the following link with the tenant ID for Tenant B and the application (client) ID of the multitenant app.
https://login.chinacloudapi.cn/<Tenant B ID>/oauth2/authorize?client_id=<Multitenant application ID>&response_type=code&redirect_uri=<redirect url>Open the edited link with an admin account in Tenant B.
Select Consent on behalf of your organization, and then select Accept.
Configure the service principal to pull from registry
In Tenant B, assign the correct role to the service principal, scoped to the target container registry:
- For ABAC-enabled registries, assign
Container Registry Repository Reader. - For non-ABAC registries, assign
AcrPull.
You can use the Azure portal, the Azure CLI, or other tools to assign this role.
Update the AKS cluster with the Microsoft Entra application secret
Use the multitenant app's application (client) ID and client secret to update the AKS service principal credential.
Updating the service principal can take several minutes to complete. After the update is finished, the AKS cluster in Tenant A can pull images from the Azure container registry in Tenant B.
Related content
- Learn more about Azure Container Registry authentication with service principals.
- Learn more about image pull secrets in the Kubernetes documentation.
- Learn about Application and service principal objects in Microsoft Entra ID.
- Learn more about scenarios to authenticate with Azure Container Registry from a Kubernetes cluster.