Could not create a role assignment for ACR. Are you an Owner on this subscription?

Rex Benny 6

When I try to assign acrpull role on ACR to the AKS-generated service principal for AKS cluster to be able to pull images from ACR receiving the error

Could not create a role assignment for ACR. Are you an Owner on this subscription?

I the owner of the subscription, assigned global admin privileges.

Commands executed as follows:

Assign acrpull role on our ACR to the AKS-generated service principal, the AKS cluster will then be able to pull images from our ACR

$ ACR_ID=$(az acr show -n $acr -g $rg --query id -o tsv)
$ az aks update -g $rg -n $aks --attach-acr $ACR_ID

SRIJIT-BOSE-MSFT 4,326 Reputation points Microsoft Employee

2021-06-07T09:46:03.717+00:00

@Rex Benny ,

Are the AKS cluster and the ACR located in different Azure subscriptions?

Can you please share the version of Azure CLI that you are using? Are you also using aks-preview extension with Azure CLI? Please run az version to check.

Can you please confirm if the Azure RBAC Role assigned to you on the subscription(s) is one of Owner, Azure account administrator, or Azure co-adminstrator?

If you are, can you please try to move the .azure/aksServicePrincipal.json from it's current location and try again? Reference

If you are still seeing the issue can you try logging in again using az login to refresh az CLI token and re-attempt attaching the ACR to your AKS cluster? Reference
Rex Benny 6 Reputation points

2021-06-07T22:48:40.873+00:00

AKS cluster and ACR located in same Azure subscription and resource group.
$ az version
{
"azure-cli": "2.24.2",
"azure-cli-core": "2.24.2",
"azure-cli-telemetry": "1.0.6",
"extensions": {
"ai-examples": "0.2.5",
"ssh": "0.1.5"
}
}

I am the owner of the subscription.
When I try to move the file getting error no file or directory.
mv: cannot stat '/home/rex/.azure/aksServicePrincipal.json': No such file or directory
SRIJIT-BOSE-MSFT 4,326 Reputation points Microsoft Employee

2021-06-07T23:18:10.267+00:00

@Rex Benny , thank you for your response. I would like to understand if you are logged in to Azure as a user (Owner) when you are performing the attach ACR operation? Or are you logging in with Service Principal credentials, like a maybe a job that is trying to do the attach ACR operation using a Service Principal?

Service Principals are not allowed to perform Role Assignment by default. This issue can be resolved by following either of the two methods.

Method-1

Provide Permissions on Azure AD graph API to Service Principal so that it can read information about other objects from the directory and perform Role Assignment.

Method-2

Provide Directory Readers role to Service Principal.
Rex Benny 6 Reputation points

2021-06-07T23:21:12.873+00:00

@SRIJIT-BOSE-MSFT I am logged in to Azure as a user (Owner) when performing the attach ACR operation.

1 answer

Sam 1 Reputation point

2022-09-20T06:17:21.927+00:00

Hi,

Could you please confirm if the above mentioned steps can resolve the Could not create a role assignment for ACR. Are you an Owner on this subscription? error while attaching the AKS cluster(Managed Identity/ServICE principle) to ACR.

Also, please include the steps to check if there is an existing service principal already created for the AKS cluster.

Thanks
Please sign in to rate this answer.
Abdul Kashem 0 Reputation points

2023-03-19T22:57:41.9466667+00:00

Hi, I am having same issues please provide the steps. Thanks
Sign in to comment