Describe the bug
When using an ACR with DNL, the command does not auto-assign the acrpull role to the system identity of the Container App Job.
where CONTAINER_REGISTRY_NAME="myacrresourcename-bkf0fma6fnaqhegn.azurecr.io"
# input
az containerapp job create -n "$JOB_NAME" -g "$RESOURCE_GROUP" --environment "$ENVIRONMENT" \
--trigger-type Event \
--replica-timeout 1800 \
--replica-retry-limit 0 \
--replica-completion-count 1 \
--parallelism 1 \
--image "$CONTAINER_REGISTRY_NAME/$CONTAINER_IMAGE_NAME" \
--min-executions 0 \
--max-executions 10 \
--polling-interval 30 \
--scale-rule-name "azure-pipelines" \
--scale-rule-type "azure-pipelines" \
--scale-rule-metadata "poolName=$AZP_POOL" "targetPipelinesQueueLength=1" \
--scale-rule-auth "personalAccessToken=personal-access-token" "organizationURL=organization-url" \
--cpu "2.0" \
--memory "4Gi" \
--secrets "personal-access-token=$AZP_TOKEN" "organization-url=$ORGANIZATION_URL" \
--env-vars "AZP_TOKEN=secretref:personal-access-token" "AZP_URL=secretref:organization-url" "AZP_POOL=$AZP_POOL" \
--registry-server "$CONTAINER_REGISTRY_NAME" \
--registry-identity "system"
# output
Role assignment failed with error message: "The resource with name 'myacrresourcename-bkf0fma6fnaqhegn' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription '<redacted>'.".
To add the role assignment manually, please run 'az role assignment create --assignee 0e2c78d5-24ec-445c-957f-a53a336bb963 --scope <container-registry-resource-id> --role acrpull'.
If I change to the non-DNL name (myacrresourcename.azurecr.io) for --registry-server, it does create the role assignment, but it fails to authenticate:
(InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'template.containers.azp-agent-ansible.image' is invalid with details: 'Invalid value: "myacrresourcename-bkf0fma6fnaqhegn.azurecr.io/azp-agent-ansible:main-11802": GET https:?scope=repository%3Aazp-agent-ansible%3Apull&service=myacrresourcename-bkf0fma6fnaqhegn.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 1aabd4f9-cceb-4a92-b02f-63634661ef00';.
Related command
az containerapp job create
Errors
see bug description
Issue script & Debug output
see bug description
Expected behavior
see bug description
Environment Summary
azure-cli 2.72.0 *
core 2.72.0 *
telemetry 1.1.0
Extensions:
containerapp 1.1.0b5
Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3'
Config directory '/home/emerconn/.azure'
Extensions directory '/home/emerconn/.azure/cliextensions'
Python (Linux) 3.12.8 (main, Apr 28 2025, 09:24:33) [GCC 13.3.0]
Additional context
No response
Describe the bug
When using an ACR with DNL, the command does not auto-assign the
acrpullrole to the system identity of the Container App Job.where
CONTAINER_REGISTRY_NAME="myacrresourcename-bkf0fma6fnaqhegn.azurecr.io"If I change to the non-DNL name (
myacrresourcename.azurecr.io) for--registry-server, it does create the role assignment, but it fails to authenticate:Related command
az containerapp job createErrors
see bug description
Issue script & Debug output
see bug description
Expected behavior
see bug description
Environment Summary
azure-cli 2.72.0 *
core 2.72.0 *
telemetry 1.1.0
Extensions:
containerapp 1.1.0b5
Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3'
Config directory '/home/emerconn/.azure'
Extensions directory '/home/emerconn/.azure/cliextensions'
Python (Linux) 3.12.8 (main, Apr 28 2025, 09:24:33) [GCC 13.3.0]
Additional context
No response