`az container app job create` not assigning `acrpull` role for system identity when using ACR with DNL

[emerconn]

Describe the bug

When using an ACR with DNL, the command does not auto-assign the acrpull role to the system identity of the Container App Job.

where CONTAINER_REGISTRY_NAME="myacrresourcename-bkf0fma6fnaqhegn.azurecr.io"

# input
az containerapp job create -n "$JOB_NAME" -g "$RESOURCE_GROUP" --environment "$ENVIRONMENT" \
  --trigger-type Event \
  --replica-timeout 1800 \
  --replica-retry-limit 0 \
  --replica-completion-count 1 \
  --parallelism 1 \
  --image "$CONTAINER_REGISTRY_NAME/$CONTAINER_IMAGE_NAME" \
  --min-executions 0 \
  --max-executions 10 \
  --polling-interval 30 \
  --scale-rule-name "azure-pipelines" \
  --scale-rule-type "azure-pipelines" \
  --scale-rule-metadata "poolName=$AZP_POOL" "targetPipelinesQueueLength=1" \
  --scale-rule-auth "personalAccessToken=personal-access-token" "organizationURL=organization-url" \
  --cpu "2.0" \
  --memory "4Gi" \
  --secrets "personal-access-token=$AZP_TOKEN" "organization-url=$ORGANIZATION_URL" \
  --env-vars "AZP_TOKEN=secretref:personal-access-token" "AZP_URL=secretref:organization-url" "AZP_POOL=$AZP_POOL" \
  --registry-server "$CONTAINER_REGISTRY_NAME" \
  --registry-identity "system"
 
 # output
Role assignment failed with error message: "The resource with name 'myacrresourcename-bkf0fma6fnaqhegn' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription '<redacted>'.".
To add the role assignment manually, please run 'az role assignment create --assignee 0e2c78d5-24ec-445c-957f-a53a336bb963 --scope <container-registry-resource-id> --role acrpull'.

If I change to the non-DNL name (myacrresourcename.azurecr.io) for --registry-server, it does create the role assignment, but it fails to authenticate:

(InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'template.containers.azp-agent-ansible.image' is invalid with details: 'Invalid value: "myacrresourcename-bkf0fma6fnaqhegn.azurecr.io/azp-agent-ansible:main-11802": GET https:?scope=repository%3Aazp-agent-ansible%3Apull&service=myacrresourcename-bkf0fma6fnaqhegn.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 1aabd4f9-cceb-4a92-b02f-63634661ef00';.

Related command

az containerapp job create

Errors

see bug description

Issue script & Debug output

see bug description

Expected behavior

see bug description

Environment Summary

azure-cli 2.72.0 *

core 2.72.0 *
telemetry 1.1.0

Extensions:
containerapp 1.1.0b5

Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3'
Config directory '/home/emerconn/.azure'
Extensions directory '/home/emerconn/.azure/cliextensions'

Python (Linux) 3.12.8 (main, Apr 28 2025, 09:24:33) [GCC 13.3.0]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @emerconn,

2.72.0 is not the latest Azure CLI(2.73.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dkkapur.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @howang-ms, @Greedygre.