Share via

How to get permission to artefact store?

Nikhil Sundarappa 0 Reputation points
2026-04-20T17:23:59.8266667+00:00

I am deploying CNFs in Azure AON. When I published NFD, it said "AuthorizationFailed".

<private info>

Azure Container Registry
Azure Container Registry

An Azure service that provides a registry of Docker and Open Container Initiative images.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jilakara Hemalatha 14,190 Reputation points Microsoft External Staff Moderator
    2026-04-27T11:35:11.0666667+00:00

    Nikhil Sundarappa

    Adding to the above response, one important point to highlight is that in Azure AON CNF/NFD publishing scenarios, this failure is typically not related to the AON service itself, but is strictly enforced by ACR RBAC and token-based authorization at runtime.

    Also, since az aosm nfd publish performs multiple backend operations in sequence (image staging → import → repository validation), the failure may sometimes appear inconsistent (portal 401 vs CLI AuthorizationFailed), but both point to the same root cause: missing ACR data-plane + import permissions for the Entra ID identity being used in the session.

    Another key aspect is that role assignment changes are not immediately reflected in existing CLI sessions. Even after IAM update, stale tokens may continue to fail until a fresh login is performed, and in some cases it may take a few minutes for role propagation across ACR data-plane.

    Additionally, if the environment is using a shared or service principal identity for automation, it is important to ensure the role is assigned to the exact identity object (not a different app registration or user principal), as mismatched identity scope is a common reason for repeated failures.

    Once correct RBAC is applied, token is refreshed, and identity propagation is completed, both the portal access and az aosm nfd publish operation should work successfully without authorization errors.

    Was this answer helpful?

    0 comments
  2. Himanshu Shekhar 6,420 Reputation points Microsoft External Staff Moderator
    2026-04-20T18:22:24.16+00:00

    Nikhil Sundarappa - Based on the error messages and validation against Microsoft documentation, the issue is permission-related on the target Azure Container Registry (ACR). The Microsoft Entra identity referenced in the error does not currently have the required permissions on the target ACR.

    • The portal Repositories blade returns 401 (Unauthorized) because the identity lacks data‑plane read permissions (for example, repository list/pull).
    • The az aosm nfd publish command fails with AuthorizationFailed because it attempts an image import operation that requires the Microsoft.ContainerRegistry/registries/importImage/action permission.

    Microsoft documentation confirms:

    1. Access to ACR repositories requires appropriate authentication and pull/read permissions. [learn.microsoft.com]
    2. The importImage operation is a control‑plane action that must be allowed by the assigned role. The Microsoft Entra identity referenced in the error does not currently have the required permissions on the target ACR.

    The portal Repositories blade returns 401 (Unauthorized) because the identity lacks data‑plane read permissions (for example, repository list/pull).

    The az aosm nfd publish command fails with AuthorizationFailed because it attempts an image import operation that requires the Microsoft.ContainerRegistry/registries/importImage/action permission.

    Required Permissions (Validated) - To successfully execute az aosm nfd publish, the identity must have a role that includes:

    • Microsoft.ContainerRegistry/registries/importImage/action
    • Microsoft.ContainerRegistry/registries/pull/read
    • Repository read/list permissions (data‑plane)

    The built‑in role that explicitly covers these requirements is:

    • Container Registry Data Importer and Data Reader
      • Includes: Import image (importImage/action)
        • Pull images (pull/read)
        • List repositories and metadata (catalog/read, etc.)

    Additionally, broader roles such as:

    • Contributor
    • Owner

    also include the importImage/action permission.

    Since the registry is hosted in a managed (“hosted resources”) resource group, permission changes typically require an administrator.

    Please request your subscription/platform administrator to:

    1. Go to the target ACR resource
    2. Open Access Control (IAM)
    3. Assign one of the following roles to your identity:
      • Preferred (least privilege): Container Registry Data Importer and Data Reader
      • Alternative (broader access): Contributor or Owner
    4. Scope can be limited to this ACR resource

    After the role assignment is completed, refresh your authentication context:

    az logout

    az login

    az account set --subscription <subscription-id>

    This ensures the updated permissions are reflected in your token.

    After the correct role is assigned and tokens are refreshed:

    1. The Repositories blade in the Azure portal should load successfully (no 401 error)
    2. The az aosm nfd publish command should complete successfully, including the image import step

    Was this answer helpful?

  3. AI answer

    2026-04-20T17:24:18.4+00:00

    The error comes from missing permissions on the Azure Container Registry that AOSM created as the artifact store, and/or from not being authenticated to that registry.

    To access and use this artifact store registry for CNF publishing and image copy, the following must be in place:

    1. Ensure authentication to the registry
      • Sign in with Azure CLI before running az aosm nfd publish: 
             az login
     az account set --subscription <your-subscription-id>
      • When using the portal or other tools, make sure the signed‑in identity is the same one that has been granted access to the registry.
    2. Assign the correct roles on the source and artifact‑store ACRs
      • For the source ACR that contains the CNF images, the identity running the CLI must have at least:
        • Reader
        • AcrPull
      • For the AOSM artifact store ACR (the registry shown in the error), the identity must have at least:
        • Contributor
        • AcrPush
      • These roles can be assigned at subscription, resource group, or registry scope. AOSM documentation recommends subscription‑scope Contributor and AcrPush for direct ACR‑to‑ACR copy.
    3. If subscription‑scope permissions are not allowed
      • Use the --no-subscription-permissions switch on az aosm nfd publish: 
             az aosm nfd publish --build-output-folder cnf-cli-output --definition-type cnf --no-subscription-permissions
      • With this option, AOSM uses tightly scoped permissions and a two‑step copy via the local machine instead of requiring Contributor + AcrPush at subscription scope.
    4. Verify ACR access in the portal
      • In the ACR blade, go to Access control (IAM) and confirm that the user or service principal has one of the built‑in roles that include Microsoft.ContainerRegistry/registries/pull/read and importImage permissions, such as AcrPush, Contributor, or Owner.
      • If not present, have an administrator add the appropriate role assignment and then re‑run the publish command.

    Once the identity has the required Reader/AcrPull on the source registry and Contributor/AcrPush on the artifact‑store registry (or --no-subscription-permissions is used), the AuthorizationFailed and 401/Unauthorized errors should be resolved and the CNF publish should complete successfully.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.