Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
(AuthorizationFailed) Error when trying to update image of containerApp from Azure Devops
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 49%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Bharath
10
Reputation points
I am using devops pipeline to update a containerApp. The devops pipeline uses a self hosted agent pool which uses a VMSS agent. in the pipeline cli task i create a system assigned managed identity for the containerApp using az cli commands and in the next step i try to assign a registry ACR Pull role to the containerApp on a private ACR using the command below
az role assignment create \
--assignee-object-id $PRINCIPALID \
--assignee-principal-type ServicePrincipal \
--role AcrPull \
--scope /subscriptions/$(SUBSCRIPTION)/resourceGroups/$(RG_NAME)/providers/Microsoft.ContainerRegistry/registries/$(acrContainerName)
getting this error in devops console:
(AuthorizationFailed) The client '3447a78f-2d20-4a27-abcd-4050272e5946' with object id '3447a78f-2d20-4a27-abcd-4050272e5946' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/12d3e9402-cddbf-4272-83b5-c479199032d6/resourceGroups/my-infra-rg/providers/Microsoft.ContainerRegistry/registries/abccacrxqkglrt4qana4/providers/Microsoft.Authorization/roleAssignments/7722b8ef0-9418-4093-z230-152e422cc29d' or the scope is invalid
I am able to do it through my local command line and also i have user access administrator permission on the subscription. The yaml file task is as follows:
- task: AzureCLI@2
inputs:
azureSubscription: $(armDeploymentServiceConnection)
scriptType: 'bash'
scriptLocation: 'inlineScript'
The azureSubscription contains the ARM serviceconnection i created in devops for connecting to ARM. If i search for the client id shown in the devops console error in the azure portal, it does not exist is the result.
Update
When i search for the object id 3447a78f-2d20-4a27-abcd-4050272e5946 i am able to find that in the enterprise applications but it has a different application(client) id than the one showed in the error where both the object id and client id is same.
Can anyone help here? thanks
Can anyone help here? thanks
Can anyone help here? thanks
Azure Container Registry
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
-
JamesTran-MSFT 37,256 Reputation points Microsoft Employee Moderator2023-07-19T22:14:30.33+00:00 Thank your detailed post!
Error Message:
(AuthorizationFailed) The client '....4050272e5946' with object id '....4050272e5946' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/.....32d6/resourceGroups/...rg/providers/Microsoft.ContainerRegistry/registries/...qana4/providers/Microsoft.Authorization/roleAssignments/...152e422cc29d' or the scope is invalid.I understand that you're using a DevOps Pipeline to update your Container App and after creating a System Assigned Managed Identity and attempting to assign the ACR Pull role to your Container App, you're running into the error message above.
To hopefully help point you in the right direction and troubleshoot your issue:
- I noticed that you tried to check for the Client ID within the Azure Portal, but can you see if the Object ID ending with -
....4050272e5946, exists within your Azure Portal tenant? - It also appears that the Object ID doesn't have the proper permissions to create a role assignment at the
/registries/...qana4scope. - Can you share any documentation that you're following as well?
Since your issue involves Azure DevOps, please keep in mind that Azure DevOps is currently not supported here on the Q&A forums. For more info - DevOps Developer Community.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
- I noticed that you tried to check for the Client ID within the Azure Portal, but can you see if the Object ID ending with -
-
Bharath 10 Reputation points
2023-07-20T07:00:27.69+00:00 @JamesTran-MSFT Thanks, i have updated the question with your suggestions, i was not able to find the Service Principal still.
-
JamesTran-MSFT 37,256 Reputation points Microsoft Employee Moderator
2023-08-07T18:40:45.4433333+00:00 Thank you for following up on this and I apologize for the delayed response!
Because it's been a while since your initial post and if you're still having issues, can you please email me with the info below? I'll enable your Subscription ID for a one-time free technical support request so you can work closer with our support team(s) get this issue resolved.
Note: If you're a CSP Partner, you won't be able to open a support request directly – only the CSP partner has this ability.Email: AzCommunity@microsoft.com Subject: ATTN - James Tran Body: Azure Subscription ID Link to this issue Once you create a Support Request feel free to share your SR number here so I can follow your issue and update this thread as needed.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Sign in to comment
Sign in to answer