Push to Azure container registry using Helm throws Error: server message: insufficient_scope: authorization failed

Question

1. I followed this article and used a Service Principle: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-helm-repos
2. The SP has the AcrPull role (which provides pull and push)
3. I have logged into ACR using the SP as follows: helm registry login $ACR_NAME.azurecr.io --username $USER_NAME --password $PASSWORD where $USER_NAME is the SP GUID
4. When I push as follows: helm push hello-world-0.1.0.tgz oci://$ACR_NAME.azurecr.io/helm it throws Error: server message: insufficient_scope: authorization failed

Using Helm 3.10.1

Answer 1

Thank for this @shiva patpi . I was successful following your reply, without needing to log in again. However, for clarity, the mistake I made is that I assigned acrPull which only provides pull access, when I meant to assign acrPush, which provides both. My comment above is incorrect (I inverted acrPull and acrPush).

Ultimately, the solution is to assign acrPush to the SP.

Thanks again for the help. :-D

Answer 2

Hello @Lee Johnson ,
I was trying to repro your exact scenario locally with my ACR with my existing SP but not able to do so.
So went ahead and created a new SP and tried logging in after giving ACR PULL Permission:

ACR Pull permission for SP:

Then I gave ACR PUSH permissions for that SP, I was still getting the same error.
Then ran the login command again: helm registry login acr.azurecr.io --username id --password <pwd>
followed by push:

This time it went through successfully:

/////////////////

Points to be Noted/Observed:
-> ACR Pull permissions are needed for login
-> ACR Push permissions are needed to push
-> After giving ACR Push permissions , try to re-login again
-> Wait for couple of mins to completely propagate the permissions

Let us know if that helps !!