'How to authorize azure container registry requests from .NET CORE C#

I have a web application which creates ContainerInstances, I have specific container registry images I want to use. As a result, I use this code to get my azure container registry

IAzure azure = Azure.Authenticate($"{applicationDirectory}/Resources/my.azureauth").WithDefaultSubscription();
IRegistry azureRegistry = azure.ContainerRegistries.GetByResourceGroup("testResourceGroup", "testContainerRegistryName");

I get this error when the second line of code is hit

The client 'bc8fd78c-2b1b-4596-827e-6a3c918b7c17' with object id 'bc8fd78c-2b1b-4596-827e-6a3c918b7c17' does not have authorization to perform action 'Microsoft.ContainerRegistry/registries/read' over scope '/subscriptions/506b787d-83ef-426a-b7b8-7bfcdd475855/resourceGroups/testapp-live/providers/Microsoft.ContainerRegistry/registries/testapp' or the scope is invalid. If access was recently granted, please refresh your credentials.

I literally have no idea what to do about this. I have seen so many articles talking about Azure AD and giving user roles and stuff. Can someone please walk me step by step how to fix this? I REALLY appreciate the help. Thanks.

I cannot find any client under that object ID so perfectly fine starting from scratch again with a better understanding of what I am doing.

azureazure-active-directoryazure-container-registry


Solution 1:[1]

The error usually occurs if you don't have proper permissions or required role to perform the action.

You can find the ObjectId and ClientId of your application like below:

Go to Azure Portal -> Azure Active directory -> App registrations -> Your application -> Overview

enter image description here

Assign "Reader" or "Contributor" role for your Azure Container Registry like below:

Go to Azure Portal -> Azure Container Registry -> Your Container Registry -> Access Control(IAM)

enter image description here

After clicking Add role, select the "Reader" or "Contributor" role by searching them and assign required scope.

If the above doesn't work, try granting objectid bc8fd78c-2b1b-4596-827e-6a3c918b7c17 "Contributor" permissions by using below command in Azure CLI:

az role assignment create --assignee-object-id bc8fd78c-2b1b-4596-827e-6a3c918b7c17 --scope /subscriptions/506b787d-83ef-426a-b7b8-7bfcdd475855/resourceGroups/testapp --role contributor

Reference:

Authenticate with service principal - Azure Container Registry | Microsoft Docs

azure - The client xxx with object id xxx does not have authorization to performaction Microsoft.Resources/subscriptions/resourcegroups/write' over scope - Stack Overflow

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions