I am trying to learn terraform with Azure, and I am trying to create a container registry, and a kubernetes cluster, and give the kubernetes cluster access to pull from the container registry.

I have followed the guide to create a service principal, and given it a custom role that looks like this (basically just extended the contributor role with roleAssignments/{read|write|delete}

{
    "id": "/subscriptions/<subscription_id>/providers/Microsoft.Authorization/roleDefinitions/<some_id>",
    "properties": {
        "roleName": "tf",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<subscription_id>"
        ],
        "permissions": [
            {
                "actions": [
                    "*",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/delete",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.ContainerService/managedClusters/write",
                    "Microsoft.ContainerService/managedClusters/delete"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action",
                    "Microsoft.Blueprint/blueprintAssignments/write",
                    "Microsoft.Blueprint/blueprintAssignments/delete",
                    "Microsoft.Compute/galleries/share/action",
                    "Microsoft.Purview/consents/write",
                    "Microsoft.Purview/consents/delete",
                    "Microsoft.Resources/deploymentStacks/manageDenySetting/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

However, when I try to apply the following terraform file

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.104.2"
    }
  }

  required_version = ">= 1.1.0"
}

provider "azurerm" {
  features {

  }
}

resource "azurerm_resource_group" "rg" {
  name     = "myRG"
  location = "North Europe"
}

resource "azurerm_container_registry" "acr" {
  name                = "mycr"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  sku                 = "Basic"
}

resource "azurerm_kubernetes_cluster" "aks" {
  name                = "myAKS"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  dns_prefix          = "myAKS"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }
}

# Attach the container registry to the kubernetes cluster
resource "azurerm_role_assignment" "aksPullFromAcr" {
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
  role_definition_name = "AcrPull"
  scope                = azurerm_container_registry.acr.id
}

I get the following error

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<client_id>' with object id '<client_id>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subscription_id>/resourceGroups/myRG/providers/Microsoft.ContainerRegistry/registries/mycr/providers/Microsoft.Authorization/roleAssignments/<some_id>' or the scope is invalid. If access was recently granted, please refresh your credentials."
│
│   with azurerm_role_assignment.aksPullFromAcr,
│   on main.tf line 49, in resource "azurerm_role_assignment" "aksPullFromAcr":
│   49: resource "azurerm_role_assignment" "aksPullFromAcr" {
│
╵

What am I doing wrong?