This message was deleted.

I can help myself meanwhile by executing

az role definition list

finding the id of acrpush in the output and storing it in a pulumi config setting, but for obvious reasons this is not a very stable workaround - say we run the same setup against another subscription (which we likely will because we want to put production resources into a separate sub), and one needs to update this.

Does this example help? https://github.com/pulumi/examples/blob/master/azure-ts-appservice-docker/index.ts#L57-L73

I know that example, but it doesn't apply to my question. meanwhile, though, I'd be more interested in making this work with managed identities as described here because that doesn't require the app reg under which pulumi runs to be allowed to assign roles (effectively being a subscription owner). do you by any chance have a Pulumi example that mirrors what MS describes in that link? (doesn't matter which language, as long as it's Pulumi) - that would be very helpful - thanks!

succeeded in pushing an image to an ACR?

Why is this example irrelevant? (putting roles aside for a moment)

maybe my wording in the original question was not precise enough, sorry for that. my problem was solely with authorization alternatives to isAdminEnabled, not with the actual pushing