I have an existing service principal, to which I assign the "acrpull" role for a newly crated ACR. I do this by the command:
az role assignment create --assignee {application id} --role acrpull --scope {id value as returned by the command az acr list}
I get the response:
The role assignment already exists. (this is because I am repeating this step)
Now, I login with my service principal credentials:
az login --service-principal -u {application id} -p {password} --tenant {tenant ID}
Now if I execute: az acr list, I expect to see my ACR listed. Instead I always see '[]'
. Any idea, what might be the issue?
You are specifying the app id as the --assignee when you should specify the user/group and not specifying the --scope parameter, which is where you'd pass your app id in the form of /subscriptions/1234/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerRegistry/registries/MyRegistry. Have a look at the parameters here.
This is more intuitive in the portal.
that is because you need read permission to list resources, you only have permission to pull images from ACR, not read it. should you attempt to pull image from that ACR using this credential - it would work. if you want to list them - assign read permissions to that ACR.