Allow Creation of Azure Containerapp Job even when create_acrpull_role_assignment fails

[glM26]

Related command az containerapp job create -n mycontainerappsjob -g rg --trigger-type Manual --parallelism 1 \ --image "myacr.azurecr.io/my-image:latest" --mi-user-assigned identity \ --registry-server myacr.azurecr.io \ --replica-timeout 1800 --replica-retry-limit 1 --environment my-env --replica-completion-count 1 \ --registry-identity identity

Is your feature request related to a problem? Please describe. We have already assigned the ACR Pull role to the managed-identity (using another user with higher privileges). Now we want to execute above command to create a Containerapp Job using the managed identity to pull the image from ACR. The user we execute above command with, does not have permissions to view assigned roles or assign roles for the managed identity. So although the managed identity already has the ACR Pull role, the "az containerapp job create" fails, because it tries to assign the role: https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/containerapp/_utils.py#L1656

Failed to query identity-id by invoking Graph API. If you don't have permission to query Graph API, please specify --assignee-object-id and --assignee-principal-typ e.

Describe the solution you'd like I was able to make the command work by manually removing the line https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/containerapp/_utils.py#L1656 from my local installation. Maybe ignore errors during create_acrpull_role_assignment or add an option to not assign the ACR Pull role during creation of the containerapp job.

Describe alternatives you've considered For Containerapps (not jobs), I was able to proceed in two steps, as outlined in https://learn.microsoft.com/en-us/azure/container-apps/managed-identity-image-pull?tabs=azure-cli&pivots=azure-portal

• Create the Containerapp with a public sample image
• Use az containerapp registry to change the registry to our internal registry using the managed identity (this apparently does not try to create the role assignment)

Unfortunately az containerapp registry is not available for jobs.

[yonzhan]

Thank you for opening this issue, we will look into it.