Azure Container Apps "RoleAssignment ... not authorized" in CI
Setting up a Container App with a managed identity often requires creating a role assignment (for example AcrPull). If the CI service principal lacks Microsoft.Authorization/roleAssignments/write, Azure denies it with AuthorizationFailed.
What this error means
A deploy or az role assignment create step fails with "AuthorizationFailed: The client ... does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'".
(AuthorizationFailed) The client 'xxxx' with object id 'xxxx' does not have
authorization to perform action 'Microsoft.Authorization/roleAssignments/write'
over scope '/subscriptions/.../resourceGroups/rg' or the scope is invalid.Common causes
The CI principal is not an Owner or User Access Administrator
Creating role assignments requires Owner or User Access Administrator at the scope. A Contributor can deploy resources but cannot grant roles.
The assignment scope is wrong or out of reach
The target scope (subscription vs resource group) is one the principal has no rights over, so the write is denied.
How to fix it
Grant the principal rights to assign roles, or pre-create the assignment
- Have an Owner grant the CI principal User Access Administrator at the needed scope, or
- Pre-create the AcrPull role assignment once with an Owner so CI does not need to.
- Re-run the deploy.
az role assignment create \
--assignee "$APP_IDENTITY_OBJECT_ID" \
--role AcrPull \
--scope /subscriptions/$SUB/resourceGroups/rg/providers/Microsoft.ContainerRegistry/registries/myacrUse credentials instead of an identity assignment
If granting roleAssignments/write is not acceptable, configure the app with a registry username/password so no role assignment is created at deploy time.
How to prevent it
- Pre-create required role assignments outside the deploy pipeline.
- Give CI the least scope that still lets it assign needed roles, only if required.
- Separate resource deployment (Contributor) from role granting (Owner/UAA).