Unable to login to ACR with Service Principal - Access denied

Question

I have a Service Principal which has Owner access over a Subscription barring few network actions. In the same subscription I have a resource group where I have created an ACR. I am trying to login to the acr with my service principal and it is throwing Access Denied error.

As the SP has the owner permissions I expect that the it can login to the ACR.

az login --service-principal -u *** --password=*** --tenant *** --allow-no-subscriptions az acr login --name myregistry

WARNING: Unable to get AAD authorization tokens with message: An error occurred: CONNECTIVITY_REFRESH_TOKEN_ERROR Access to registry 'acrshto01.azurecr.io' was denied. Response code: 403. Please try running 'az login' again to refresh permissions.

Answer 1

In my case it was an issue with Network private access (with Premium tier).

Make sure you allowed the IP address to access the registry.

Answer 2

CONNECTIVITY_REFRESH_TOKEN_ERROR can occur if the user does not possess right permissions on the registry or if the user credentials for the Azure CLI are stale.

If your account has right permission on the registry, run az login To refresh the permissions, tokens and credentials. reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-health-error-reference#connectivity_refresh_token_error

Looks like your Service Principle is not granted with required set of permissions while creating

For granting registry access to your service principal, you can assign a new role to the service principal. The following script uses az role assignment create command to grant owner permissions to a service principal you specify in the SERVICE_PRINCIPAL_ID variable.

#!/bin/bash

# Modify for your environment. The ACR_NAME is the name of your Azure Container
# Registry, and the SERVICE_PRINCIPAL_ID is the service principal's 'appId' or
# one of its 'servicePrincipalNames' values.
ACR_NAME=mycontainerregistry
SERVICE_PRINCIPAL_ID=<service-principal-ID>

# Populate value required for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Assign the desired role to the service principal. Modify the '--role' argument
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role owner

Reference : https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#use-an-existing-service-principal