Cannot connect azure container registry to devops platform as admin ??

Question

Cannot connect azure container registry to devops platform as admin ??

Melonendk 20

So we are trying to create a docker container image and upload it to an ACR with the devops pipelines, but wherever we try it fails and say i dont have permission even tho we have checked for months now and should have the right permissions to connect and use the ACR.

We tried following guides but seem to be outdated a lot so no luck there.
But each time we end up getting an nice error of this

Failed to set Azure permission 'RoleAssignmentId: ' for the service principal '' on subscription ID '': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'live.com#' with object id '' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions//resourceGroups//providers/Microsoft.ContainerRegistry/registries//providers/Microsoft.Authorization/roleAssignments/***' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.

Which is weird... why would i need to be owner og an UAAdmin to create a pipeline and connection ?

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-01-19T01:21:13.7366667+00:00

@Melonendk Thank you for your taking time to share your feedback on the answer provided by Lex Li. You shared that the answer provided wasn't helpful.

Later, our Microsoft expert Eddie was able to clarify on your query and provide an answer that was accepted by you. If you found that answer helpful, we would appreciate if you could consider providing your feedback on Eddie's answer by answering:

If you have any further questions, please let us know in the comments and we would be happy to help.

Your candid feedback will help us do better in future and design a better experience for community on Microsoft Q&A .

Looking forward to your reply. Thanks in advance for your time and feedback.
Prrudram-MSFT 28,201 Reputation points Moderator

2023-01-24T06:18:51.74+00:00

@Melonendk Thank you for your taking time to share your feedback on the answer provided by Lex Li. You shared that the answer provided wasn't helpful.

Later, our Microsoft expert Eddie was able to clarify on your query and provide an answer that was accepted by you. If you found that answer helpful, we would appreciate if you could consider providing your feedback on Eddie's answer by answering:

If you have any further questions, please let us know in the comments and we would be happy to help.

Your candid feedback will help us do better in future and design a better experience for community on Microsoft Q&A .

Looking forward to your reply. Thanks in advance for your time and feedback.

Accepted answer

1 additional answer

Your answer

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-01-19T01:21:13.7366667+00:00

@Melonendk Thank you for your taking time to share your feedback on the answer provided by Lex Li. You shared that the answer provided wasn't helpful.

Later, our Microsoft expert Eddie was able to clarify on your query and provide an answer that was accepted by you. If you found that answer helpful, we would appreciate if you could consider providing your feedback on Eddie's answer by answering:

If you have any further questions, please let us know in the comments and we would be happy to help.

Your candid feedback will help us do better in future and design a better experience for community on Microsoft Q&A .

Looking forward to your reply. Thanks in advance for your time and feedback.
Prrudram-MSFT 28,201 Reputation points Moderator

2023-01-24T06:18:51.74+00:00

@Melonendk Thank you for your taking time to share your feedback on the answer provided by Lex Li. You shared that the answer provided wasn't helpful.

Later, our Microsoft expert Eddie was able to clarify on your query and provide an answer that was accepted by you. If you found that answer helpful, we would appreciate if you could consider providing your feedback on Eddie's answer by answering:

If you have any further questions, please let us know in the comments and we would be happy to help.

Your candid feedback will help us do better in future and design a better experience for community on Microsoft Q&A .

Looking forward to your reply. Thanks in advance for your time and feedback.

Answer 1

Eddie Neto 1,251 Microsoft Employee

Hi @Melonendk

To Build and push Docker images to Azure Container Registry, you must enable the admin user account in order for you to deploy a Docker image from an Azure Container Registry.

Create a container registry

Hope this helps. Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

Melonendk 20 Reputation points

2023-01-16T14:29:04.1433333+00:00

It answers only on the way of being a temporarely solution and is as mentioned in the guide

The admin account is designed for a single user to access the registry, mainly for testing purposes.

Which if it was a production build and its going to be its not a reliable option in the long run and still doenst explain why would developer or devops admin need to be owner og an UAAdmin to create a connection between the sevices?

Even tho if i get an owner to create the connection under project settings -> service connections it would still not let me create an pipeline or use existing connections.
Eddie Neto 1,251 Reputation points Microsoft Employee

2023-01-16T15:51:32.5366667+00:00

@Melonendk

From the error above please give to your Service Principal (xxxxxx-xxxxxx-xxxxxxx-xxxxx-xxxxxxx)the following role permission "Microsoft.Authorization/roleAssignments/write" to the Container registry and let me know the result. You can find the name of the SP inside of the "app registration" on azure portal service, you will need the name for the next steps to give the role permission.

Once you have performed this allow 1 min to the role propagate and make your test again.

Hope this helps. Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2023-01-17T21:36:44.0733333+00:00

@Melonendk Were you able to try the suggestion in the comment above and did it help? Please Let me know in the comments if you are still looking for help on this and I can further investigate. Thanks.

Answer 2

Lex Li (Microsoft) 6,037 Microsoft Employee

You can only upload a container image to ACR, not a container instance itself.

How did you configure your pipeline to upload?

Ideally you should use a service principal with the role of acrpush (not the acrpull in the example).

Melonendk 20 Reputation points

2023-01-15T09:40:54.52+00:00

First of course in mean the image, as it is an registry.
We are not using the command line but using the ui in devops to create the pipeline and when we press next to create the connection i get that error which is weird.

And we have checked i have the AcrPull and AcrPush permissions in our role / group.

Microsoft.ContainerRegistry/registries/pull/read
Microsoft.ContainerRegistry/registries/push/write

Share via

Cannot connect azure container registry to devops platform as admin ??

1 additional answer

Your answer