You need to at least assigned the 'acrPull' role to the managed identity you want to use to pull the image (assuming to Azure Container Apps by your tag).
Role/Permission | Access Resource Manager | Create/delete registry | Push image | Pull image | Delete image data | Change policies | Sign images |
---|---|---|---|---|---|---|---|
Owner | X | X | X | X | X | X | |
Owner | X | X | X | X | X | X | |
Contributor | X | X | X | X | X | X | |
Reader | X | X | |||||
AcrPush | X | X | |||||
AcrPull | X | ||||||
AcrDelete | X | ||||||
AcrImageSigner | X |
- Go to the ACR Resource > Access Control (IAM) > Add > Add role assignment > role: acrPull (and acrPush if required to push images) > Members tab: Select Managed Identity and select the system-assigned MI you want to use > review + assign to complete