Azure 容器注册表权限

Question

Im trying to setup simple read only access using Azure AD to an Azure container registry.

I have managed to setup a service principal with read only access no problem, but when creating an AD account and using IAM on the registry I cannot login using az acr.

I have created an account in Azure AD, added is to the registry IAM, assigned it reader role (this matches the role given to the service principal) but receive the following error logging in with az acr

The client 'xxxx@xxxxxx.co.uk' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.ContainerRegistry/registries/listCredentials/action' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/resourceGroups/xxxxxxxxxxxxx/providers/Microsoft.ContainerRegistry/registries/xxxxxxxxxxxx'.

The only way I can get logged in using the az acr is to assign IAM contributor permissions on the resource group.

Is there something im missing?

tia

Answer 1

It is a RBAC issue.

Could you please try to use this docker login to login ACR?

You can also log in directly with a service principal . Provide the app ID and password of the service principal to the docker login command:

 docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword

When you log in with az acr login , the CLI uses the token created when you executed az login to seamlessly authenticate your session with your registry.

Please check your service principal permission, also you can create a new service principal and assign to this group .

az ad sp create-for-rbac -n "http://my-app" --role reader --scopes /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/mygroup

The available roles are:

Reader : pull
Contributor : pull and push
Owner : pull, push, and assign roles to other users

Note:

When you use az acr login to login acr, this command will use the token created when you executed az login to login it. This token not equal to your service principal(reader).