skip to content
Alvin Lucillo

Setting AcrPull role scoped to ACR

/ 1 min read

Once you have the ACR ID and your web app’s identity’s principal ID, you should grant your web app permission to pull images from your ACR. With the command below, you can assign the least privilege access to your web app to to download images.

az role assignment create \
    --assignee $PRINCIPAL_ID \
    --scope $ACR_ID \
    --role AcrPull
{
  "id": "/subscriptions/<redacted>/resourceGroups/acr-task-demo/providers/Microsoft.ContainerRegistry/registries/acre357b213/providers/Microsoft.Authorization/roleAssignments/<redacted>",
  "name": "<redacted>",
  "principalId": "<redacted>",
  "principalType": "ServicePrincipal",
  "resourceGroup": "acr-task-demo",
  "roleDefinitionId": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "scope": "/subscriptions/<redacted>/resourceGroups/acr-task-demo/providers/Microsoft.ContainerRegistry/registries/acre357b213",
  "type": "Microsoft.Authorization/roleAssignments"
}