I have a shell script that deploys containers to Azure Container Instances that runs fine locally using the Azure CLI (on Linux) but I'm having trouble performing the login to Azure from a pipeline task.
Locally the following command will open a browser to login:
docker login azure
The docs suggest that to do the same in a pipeline task I can pass in a client id and client secret. I think that it should look like this:
docker login azure --client-id $servicePrincipalId --client-secret $servicePrincipalKey --tenant-id $tenantId
However, when I run this in my pipeline I get this error:
unknown flag: --client-id
docker login azure --help run locally tells me that --client-id is a valid flag, so I'm wondering is there another way to do this in an Azure DevOps pipeline?
At the moment the problem is that there is no docker cli azure module installed on Microsoft Hosted agents, Installation instructions can be found here:
https://docs.docker.com/cloud/aci-integration/
The workaround I have used to solve the problem:
- script: |
# Add the compose-cli module;
curl -L https://raw.githubusercontent.com/docker/compose-cli/main/scripts/install/install_linux.sh | sh
# Login to Azure using docker CLI, you can use variables here;
# Note: Docker#2 task with Login Action will not help here;
docker login azure --client-id xxx --client-secret yyy --tenant-id zzz
# Check Context list;
docker context aci list
# Create ACI Context;
docker context create aci myaci --location <Azure Location> --resource-group <RG NAME> --subscription-id <subscription ID>
# Check It again.
docker context list
The Azure pipeline task for Docker allows you to use a service connection for the 'docker login' style task. To use a username / password combination, you'll start by creating a Service Connection of type 'Docker Registry'. Then specify 'other' for type. Here you can enter your credentials. The password is obfuscated for security as you would expect.
Now you can use this service connection in your azure devops pipeline docker tasks.
Sources cited:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-registry-service-connection
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-hub-or-others
Related
As per docs from microsoft PAT can be used for az devops login as below
cat my_pat_token.txt | az devops login --organization https://dev.azure.com/contoso/
However, the same thing does not work when inside docker container
Here is my docker file
FROM mcr.microsoft.com/azure-cli:latest
RUN az config set extension.use_dynamic_install=yes_without_prompt
COPY my_pat_token.txt .
RUN cat my_pat_token.txt | az devops login --organization https://dev.azure.com/contoso/
I get below error message
WARNING: Unable to use secure credential store in this environment.
WARNING: Please refer to alternate methods at https://aka.ms/azure-devops-cli-auth
I have an Azure release pipeline that uses an Azure Web App for Containers task to deploy a docker image on an Azure App Service.
The image is specified in the form of some_image:$(Build.BuildId). The pipeline works as intended and successfully updates the App Service with the latest built of the image.
I want from an other release pipeline to execute a docker run command using that image. I've noticed that version 1 of the Docker task allows me to execute such a docker run command on a docker image (no idea why run is missing from version 2), but how can I specify the docker image? How can I get which image is the currently deployed on that App Service?
You can either use PowerShell or Shell script in the YAML pipeline. Since you already know the container registry and the image name, just use the below command to get the latest version
az acr repository show-tags -n MyRegistry --repository MyRepository --top 1 --orderby time_desc --detail
https://learn.microsoft.com/en-us/cli/azure/acr/repository?view=azure-cli-latest#az_acr_repository_show_tags
Might be too late now, but what you want to do is to get the value of LinuxFXVersion (if you're running docker on Linux) property from Azure Resource Explorer.
Using a combination of Azure PowerShell and CLI, you can have these commands to retrieve the current image running on your web app:
$webAppProperties = (az webapp config show --subscription "<subscription-id>" --resource-group "<resource-group-name>" -n "<webapp-name>") | ConvertFrom-Json
$webAppProperties.linuxFXVersion
Assuming you have the right permissions to your subscription from Azure Pipelines, you should be able to use this information for the next steps.
I'm new with Kubernetes and Azure. I want to Deply my application and I am floowing the microsoft tutorial about kubernetes. At first I have created the resouce group and ACR instance. When I try to login in ACR console show this error:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
I'm using azure cli localy and I have docker running.
You can try below options to connect ACR :
run az acr login first with the --expose-token parameter. This option exposes an access token instead of logging in through the Docker CLI.
az acr login --name <acrName> --expose-token
Output displays the access token, abbreviated here:
{
"accessToken": "eyJhbGciOiJSUzI1NiIs[...]24V7wA",
"loginServer": "myregistry.azurecr.io"
}
For registry authentication, we recommend that you store the token credential in a safe location and follow recommended practices to manage docker login credentials. For example, store the token value in an environment variable:
TOKEN=$(az acr login --name <acrName> --expose-token --output tsv --query accessToken)
Then, run docker login, passing 00000000-0000-0000-0000-000000000000 as the username and using the access token as password:
docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password $TOKEN
you will get the below promt if you follow the above method :
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
Seems your Docker Desktop is not running. Make sure you installed the Docker for Desktop on your machine and start it if not. You should be good once you start.
I'm trying to run a task within GitLab CI using the official MS Azure-CLI docker image. It fails at the first step, logging in using the "az login" command. I'm using a service principal login with a secret, all stored as GitLab CI variables. Using this command with the CI job:
az login --service-principal --username="${AZURE_APP_ID}" --password="${AZURE_CLIENT_SECRET}" --tenant=${AZURE_TENANT_ID}
gives me the error:
usage error: --service-principal --username NAME --password SECRET --tenant TENANT
Yet if I run the Azure-CLI docker image locally and run the exact same command it works fine. Why is this not working? What format do I need to use to get the damn thing working?
Debug with Print Driven Development style.
Before the az login line echo all the variables to see if they have the proper values.
I could reproduce the error you provided only in one occasion, when the command line contained this only: az login --service-principal
If any more arguments or garbage are provided, the error is different. You should check if Gitlab CI even executes those commands you think it should execute.
I am trying to push docker image into azure container registries repository using power-shell command as follows:-
docker push containerregone.azurecr.io/azure-vote-front:V1
it gives me following error
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I have tried to find help related to this using following documentation
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-faq
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
but it gives Azure CLI commands.
I have also tried to do this using following link
https://stackoverflow.com/questions/50817945/what-is-the-powershell-equivalent-to-az-acr-login#:~:text=There%20is%20no%20single%20powershell,docker%20login%20to%20log%20in.
but they are using docker login. i don't have docker login.
My Question :-
How can we accomplish this using power-shell without docker login?
I'm afraid you cannot accomplish that using PowerShell without the command docker login. Let's take a look at the command for the ACR credential.
When you use the CLI command az acr login with the ACR directly without a docker daemon running, then you will get the error similar with this:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is
the docker daemon running?
It means the CLI command az acr login depends on the docker server. When you run the CLI command az acr login --expose-token as the document shows, it just exposes the access token of the ACR without login for docker. You also need to log in yourself for docker. You can see the details here.
For the PowerShell for ACR, the only one is to get the ACR credential: Get-AzContainerRegistryCredential. But it gets the passwords for you only. It's not the access token, nor will log in for you too.
So, if you want to use PowerShell command to get the ACR credential, then you also need to log in yourself with the docker command.
Before push or pull, to azure, you need to login first by az-cli
az login
az acr login -n your-registry
or by docker
docker login your-registry.azurecr.io