Unable to create a service principal for my Azure ACR

Question

I am trying to setup a service principal that can push and pull images from an Azure ACR.

I created this script to show the issue I am having:

#!/bin/sh

RESOURCE_GROUP_NAME=aztestRG
REGISTRY_NAME=aztestcr4
SERVICE_PRINCIPAL_NAME=aztestSP4

echo "Creating resource group: $RESOURCE_GROUP_NAME"
az group create --name $RESOURCE_GROUP_NAME --location eastus

echo "Creating container registry: $REGISTRY_NAME"
az acr create --resource-group $RESOURCE_GROUP_NAME --name $REGISTRY_NAME --sku Basic --output table

echo "Obtain the full registry ID for subsequent command args"
ACR_REGISTRY_ID=$(az acr show --name $REGISTRY_NAME --resource-group $RESOURCE_GROUP_NAME --query id --output tsv)
echo "Registry ID: $ACR_REGISTRY_ID"

echo "Create service principal: $SERVICE_PRINCIPAL_NAME with rights scoped to the registry"
az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpush --output table

I first run "az login" and then the script. I get the following output. I verified that the part I replaced with 'X's is correct and the same in all occurrences.

I don't understand why it is complaining about the subscription. Its in the value passed with "--scopes".

$ ./aztest
Creating resource group: aztestRG
{
  "id": "/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/aztestRG",
  "location": "eastus",
  "managedBy": null,
  "name": "aztestRG",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": "Microsoft.Resources/resourceGroups"
}
Creating container registry: aztestcr4
NAME       RESOURCE GROUP    LOCATION    SKU    LOGIN SERVER          CREATION DATE         ADMIN ENABLED
---------  ----------------  ----------  -----  --------------------  --------------------  ---------------
aztestcr4  aztestRG          eastus      Basic  aztestcr4.azurecr.io  2023-10-17T12:52:55Z  False
Obtain the full registry ID for subsequent command args
Registry ID: /subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/aztestRG/providers/Microsoft.ContainerRegistry/registries/aztestcr4
Create service principal: aztestSP4 with rights scoped to the registry
Creating 'acrpush' role assignment under scope 'C:/Program Files/Git/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/aztestRG/providers/Microsoft.ContainerRegistry/registries/aztestcr4'
  Role assignment creation failed.

  role assignment response headers: {'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; charset=utf-8', 'Expires': '-1', 'x-ms-failure-cause': 'gateway', 'x-ms-request-id': '69fb439e-ddaf-48c7-95ad-2fccb974114a', 'x-ms-correlation-request-id': '69fb439e-ddaf-48c7-95ad-2fccb974114a', 'x-ms-routing-request-id': 'CANADAEAST:20231017T125315Z:69fb439e-ddaf-48c7-95ad-2fccb974114a', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'Date': 'Tue, 17 Oct 2023 12:53:14 GMT', 'Content-Length': '135'}

(MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.

Answer 1

The request is failing because the service does not have any Azure resources it has access to. The ACRPush role is a data-plane role and so doesn't count for this. I would recommend you grant the reader role on the ACR before granting ACRPush.