Can't pull image from Azure Container Registry - pull denied

Question

I log in successfully, but cannot pull:

PS C:\Users\Me> docker login tlk8s.azurecr.io
Username (myUsername): Password:
Login Succeeded
PS C:\Users\Me> docker pull tlk8s.azurecr.io/devicecloudwebapi:v1
Error response from daemon: pull access denied for tlk8s.azurecr.io/devicecloudwebapi, repository does not exist or may require 'docker login'

But it seems like I'm naming it correctly (see screenshot):

What could I be doing wrong? How do I check to see if my service principal has the correct permissions?

Here's the result of calling Get-AzureRmRoleAssignment:

Answer 1

Per documentation below, the Service Principal account must have at least Reader role to be able to pull images from the Azure Container Registry.

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication

You can run the following PS script to list the existing role assignments for your Service Principal account.

https://github.com/evandropaula/Azure/blob/master/ServicePrincipal/PS/List-ServicePrincipalRoleAssignments.ps1

You can run the following PS script to assign a role (eg Reader) to your Service Principal account.

https://github.com/evandropaula/Azure/blob/master/ServicePrincipal/PS/Assign-ServicePrincipalRole.ps1

Answer 2

It looks like I had contributor access, but my container registry was in a different resource group than my service principal. D'oh.