[Issue] .NET Aspire: ACR Push error due to insufficient permission of `Microsoft.Authorization/roleAssignments/write`

[justinyoo]

• Make sure you've installed the latest version using instructions in the wiki

Related to #2980

Output from azd version
Run azd version and copy and paste the output here:

azd version
azd version 1.6.1 (commit eba2c978b5443fdb002c95add4011d9e63c2e76f)

dotnet --version
8.0.201

.NET Aspire version
8.0.0-preview.3.24105.21

Describe the bug
Description of issue you're seeing...

• I've given a user with the RBAC based roles of AcrDelete, AcrImageSigner, AcrPull, AcrPush and AcrQuerantineReader, AcrQuarantineWriter.
• I've also given the user with classic Contributor role.
• But it's still says "not enough permission" while uploading the container image to ACR.

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed with error: 'Authorization failed for template resource '{{RANDOM_GUID}}' of type 'Microsoft.Authorization/roleAssignments'. The client '{{USER_EMAIL}}' with the object id '{{RANDOM_GUID}}' does not have permission to perform 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/{{SUBSCRIPTION_ID}}/resourceGroups/{{RESOURCE_GROUP_NAME}}/providers/Microsoft.ContainerRegistry/registries/{{ACR_NAME}}/providers/Microsoft.Authorization/roleAssignments/{{ROLE_ID}}'.'.

To Reproduce
Steps to reproduce the behavior...

• Run azd init and follow the prompts
• Run azd up
• See the error message like above

Expected behavior
A clear and concise description of what you expected to happen.

.NET Aspire app should be deployed to ACR.

Environment
Information on your environment:
* Language name and version: .NET 8.0.2
* IDE and version : GitHub Codespaces

Additional context
Add any other context about the problem here.

• There's no permission of Microsoft.Authorization/roleAssignments/write on the AcrPush role.
• I created a custom role that contains the Microsoft.Authorization/roleAssignments/write permission, and applied it to the given user. Then, the permission error went away.

[rajeshkamal5050]

@vhvb1989 if there are any authn/authz pre-requisites which users have to be aware of, lets document it.

[vhvb1989]

@justinyoo , Microsoft.Authorization/roleAssignments/write is part of the System Admin role.
A Contributor can't assign rbac roles, so you need to either have the admin role, or create the custom role, like you did, to allow a user to do rbac assignations.

[vhvb1989]

Docs to be updated in: https://learn.microsoft.com/dotnet/aspire/deployment/azure/aca-deployment-azd-in-depth

There should be a note about the required access to push imgs to ACR

[rajeshkamal5050]

Docs to be updated in: https://learn.microsoft.com/dotnet/aspire/deployment/azure/aca-deployment-azd-in-depth

There should be a note about the required access to push imgs to ACR

@vhvb1989 should we create a docs issue in the aspire repo and close this?