Im trying to setup simple read only access using Azure AD to an Azure container registry.
I have managed to setup a service principal with read only access no problem, but when creating an AD account and using IAM on the registry I cannot login using az acr.
I have created an account in Azure AD, added is to the registry IAM, assigned it reader role (this matches the role given to the service principal) but receive the following error logging in with az acr
The client 'xxxx@xxxxxx.co.uk' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.ContainerRegistry/registries/listCredentials/action' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/resourceGroups/xxxxxxxxxxxxx/providers/Microsoft.ContainerRegistry/registries/xxxxxxxxxxxx'.
The only way I can get logged in using the az acr is to assign IAM contributor permissions on the resource group.
Is there something im missing?
tia