I am trying to learn terraform, by creating a kubernetes cluster and a container registry in azure and giving the kubernetes cluster pull access to the container registry.

I have manually created a service principal with a custom role and authenticated it like they do in the terraform azure totorial. The custom role has all contributor permissions along with the following

Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete
Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.ContainerService/managedClusters/delete

And I have correctly set the env vars. When I then try to terraform apply the following file:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.104.2"
    }
  }

  required_version = ">= 1.1.0"
}

provider "azurerm" {
  features {

  }
}

resource "azurerm_resource_group" "rg" {
  name     = "myRG"
  location = "North Europe"
}

resource "azurerm_container_registry" "acr" {
  name                = "mycr"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  sku                 = "Basic"
}

resource "azurerm_kubernetes_cluster" "aks" {
  name                = "myAKS"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  dns_prefix          = "myAKS"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }
}

# Attach the container registry to the kubernetes cluster
resource "azurerm_role_assignment" "aksPullFromAcr" {
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
  role_definition_name = "AcrPull"
  scope                = azurerm_container_registry.acr.id
}

I get the following error. The weird thing being that the subscription id is pointing to the wrong subscription

Error: retrieving Kubernetes Cluster (Subscription: "<wrong_subscription_id>"
│ Resource Group Name: "myRG"
│ Kubernetes Cluster Name: "myAKS"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '<client_id>' with object id '<client_id>' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/read' over scope '/subscriptions/<wrong_subscription_id>/resourceGroups/myRG/providers/Microsoft.ContainerService/managedClusters/myAKS' or the scope is invalid. If access was recently granted, please refresh your credentials.

I have tried to make a new service principal, but that didn’t help.

What am I doing wrong here?