I log in successfully, but cannot pull:
PS C:\Users\Me> docker login tlk8s.azurecr.io
Username (myUsername): Password:
Login Succeeded
PS C:\Users\Me> docker pull tlk8s.azurecr.io/devicecloudwebapi:v1
Error response from daemon: pull access denied for tlk8s.azurecr.io/devicecloudwebapi, repository does not exist or may require 'docker login'
But it seems like I'm naming it correctly (see screenshot):
What could I be doing wrong? How do I check to see if my service principal has the correct permissions?
Here's the result of calling Get-AzureRmRoleAssignment:
Per documentation below, the Service Principal account must have at least Reader role to be able to pull images from the Azure Container Registry.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication
You can run the following PS script to list the existing role assignments for your Service Principal account.
https://github.com/evandropaula/Azure/blob/master/ServicePrincipal/PS/List-ServicePrincipalRoleAssignments.ps1
You can run the following PS script to assign a role (e.g. Reader) to your Service Principal account.
https://github.com/evandropaula/Azure/blob/master/ServicePrincipal/PS/Assign-ServicePrincipalRole.ps1
It looks like I had contributor access, but my container registry was in a different resource group than my service principal. D'oh.
Related
I have created an Azure Container Registry.
I have an Azure DevOps project.
I have created an Azure DevOps Pipeline using the wizard so
that it uses the standard template to build and push a Docker image.
When validating the Pipeline the following error is thrown:
Failed to set Azure permission 'RoleAssignmentId: ****' for the service principal '****' on subscription ID '****': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client '****' with object id '****' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/****/resourceGroups/****/providers/Microsoft.ContainerRegistry/registries/****/providers/Microsoft.Authorization/roleAssignments/****' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.
What configuration could I be missing? The documentation for this is all very sparse and written as though it should all just work.
Thanks
You need to add AcrPull permission to service principal you used here. Please got to you ACR and add it.
Here you have id of you service principal:
Failed to set Azure permission 'RoleAssignmentId: ' for the service principal ''
Also please check also networking on ACR if it blocks you or not.
To build and push your Docker image in Azure pipeline, you need follow the steps below:
Navigate to Project Settings > Service connections to create a Docker Registry service connection that can connect to your ACR.
In the pipeline, add the Docker task to build and push your Docker image to ACR.
Yours service principal on service connection is missing permissions link to documentation https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli. You can use custom role or build like contributor on resource group level. Example of custom role and allowed actions "Microsoft.ContainerRegistry/registries/push/write",
I tried on-premises synchronizes container images by using Connected Registry in Azure Container Registry.
And I followed ACR documentation to create a setup (https://learn.microsoft.com/en-us/azure/container-registry/quickstart-deploy-connected-registry-iot-edge-cli)
Getting error while deploying the modules
Troubleshoot - Container Log
ACR Token Details
ACR Scope Details
getting insufficient scope error. But I gave ReadWrite permission for all the repositories. Is there any other way to solve this issue?
Please check if you have given the permissions content/read , content/write scopes for the required registry for repository push , which I hope you have already done if the repo is present.
If the permissions are configured properly , please check if the admin user is enabled .
The scopes may also refer to the actual role permission to operate
For the Azure Container Registry, you may log in in two ways.
One - Using the command az acr login -n azureacrServer -u username -p password. Then you have the owner permission after logging in.
The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword. In this way, you just have the permission of the service principal after logging in
Please check
Registry authentication options and container registry repository scoped permissions
References:
Quickstart - Create connected registry using the portal - Azure Container Registry | Microsoft Docs
Pull images from a connected registry - Azure Container Registry | Microsoft Docs
I have created an Azure Container Registry ,have Microsoft subscription inherited to the users in that particular Resource Group .How to give access to the users as they can login to the registry using only service principal credentials.What privilege permissions should I give so that they cannot view the credentials in the portal.azure.com and should not push or pull docker images using service principal credentials?
All the roles and permissions for the ACR are shows in the Azure Container Registry roles and permissions. You can just choose one which you want to use.
The service principal is a little different from the users to do something with appropriate permission. For example, you can use a service principal with only acrpull permission to pull the image even the users have the permission to push, but login with the service principal, it just can pull the image.
I have created a Build Docker Image task inside DevOps Build Pipeline.
In this task, after selecting the Azure Subscription, the Azure container registry list shows No results Found message.
Although I have created the ACR in that subscription, I'm unable to connect to it via DevOps Build Pipeline.
Is this issue related to permissions or any other?
Did you create a Service Principal for Azure DevOps pipeline? Once created you can give it the proper role for what you are trying to do.
# Assign the desired role to the service principal. Modify the '--role' argument
# value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role acrpull
In your build pipeline, you need to add a login task that uses an existing Service Connection before your Docker build and/or push task. The Service Connection has the subscription and the name of the Azure Container Registry where you will be uploading your Docker images.
I was following the steps in this Microsoft tutorial:
https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr#container-registry-login
I've created a resource group, and then an azure container registry with "az acr create". The next step is to login to the registry, but I keep getting this error:
Error response from daemon: Get https://azurereg.azurecr.io/v2/: Service Unavailable
Any ideas?
In order to access ACR from AKS, you can use the underlying service principal. That said, you've to create a role assignment for the Service Principal as mentioned in this paragraph https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks?toc=%2fazure%2faks%2ftoc.json#grant-aks-access-to-acr
Creating a role assignment for role Reader currently doesn't work. You've to create the assignment for the Owner role. (described in https://github.com/Azure/AKS/issues/76).
Keep in mind that K8s caches the token for a couple of minutes. It took 3-5 minutes on my cluster to work.