I have a Service Principal which has Owner access over a Subscription barring few network actions. In the same subscription I have a resource group where I have created an ACR. I am trying to login to the acr with my service principal and it is throwing Access Denied error.
As the SP has the owner permissions I expect that the it can login to the ACR.
az login --service-principal -u *** --password=*** --tenant *** --allow-no-subscriptions az acr login --name myregistry
WARNING: Unable to get AAD authorization tokens with message: An error occurred: CONNECTIVITY_REFRESH_TOKEN_ERROR Access to registry 'acrshto01.azurecr.io' was denied. Response code: 403. Please try running 'az login' again to refresh permissions.
CONNECTIVITY_REFRESH_TOKEN_ERROR can occur if the user does not possess right permissions on the registry or if the user credentials for the Azure CLI are stale.
If your account has right permission on the registry, run az login To refresh the permissions, tokens and credentials. reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-health-error-reference#connectivity_refresh_token_error
Looks like your Service Principle is not granted with required set of permissions while creating
For granting registry access to your service principal, you can assign a new role to the service principal. The following script uses az role assignment create command to grant owner permissions to a service principal you specify in the
SERVICE_PRINCIPAL_IDvariable.Reference : https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#use-an-existing-service-principal