I’m trying to give the system identity of my container app access to the acr which is deployed in a different resource group. I’m using the Azure CLI in a release pipeline. The service connection I’m using should be scoped to all the resource groups within my subscription. Now for some reason I keep getting the following error message:
The client 'xxxx' with object id 'xxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxxxx/resourceGroups/xxxxx/providers/Microsoft.ContainerRegistry/registries/xxxx/providers/Microsoft.Authorization/roleAssignments/xxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
I’m trying to assign the client which is provided in the error message the role of User Access Administrator because I read that is what it needs, but I’m a bit lost here.
Does anyone know how I should tackle this?
2
Answers
Alright, I was able to make it work. I had to give the service principal of my service connection the User Access Management role in order to let the pipeline run successfully.
You need to grant your System Identity specific roles as specified in the documentation.
The available roles for a container registry include:
AcrPull: pull
AcrPush: pull and push
Owner: pull, push, and assign roles to other users
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal
You could also enable the admin user/password as a test. This is not recommended for production usage but will help you troubleshoot your issue
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account