[英]Azure Service Principal pull images from Container Registry
I have created a Azure Service Principal like this我已经创建了这样的 Azure 服务主体
az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role reader
after logging in ( az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID
) I am able to see all the images ( az acr repository list --name $ACR_REGISTRY_NAME
) which are in my registry, but I can not push or pull images ( docker pull myregistry.azurecr.io/myimage:latest
).登录后( az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID
)我可以看到我的注册表中的所有图像( az acr repository list --name $ACR_REGISTRY_NAME
),但我无法推送或拉取图像( docker pull myregistry.azurecr.io/myimage:latest
)。
Are there any permissions I am not aware of?是否有任何我不知道的权限? I have tried the similar with other roles like owner
or contributor
, but also SPs are getting the same error, which is the following:我已经尝试过类似的其他角色,如owner
或contributor
,但 SP 也遇到了同样的错误,如下所示:
Error response from daemon: Get https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest : unauthorized: authentication required来自守护进程的错误响应:获取https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest :未授权:需要身份验证
Update 14. of August: 8 月 14 日更新:
I am also not able to docker login with the SP我也无法使用 SP 进行 docker 登录
Error response from daemon: Get myregistry.azurecr.io/v2: unauthorized: authentication required来自守护进程的错误响应:获取 myregistry.azurecr.io/v2:未经授权:需要身份验证
You need to login to the registry using docker login您需要使用 docker login 登录到注册表
docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword
Refer to: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal请参阅: https : //docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal
For the Azure Container Registry, there are two ways to log in.对于 Azure 容器注册表,有两种登录方式。
One is that log in with the command az acr login -n azureacrServer -u username -p password
, you have the owner permission after logging in.一种是使用命令az acr login -n azureacrServer -u username -p password
拥有了owner权限。
The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword
.另一种是使用命令docker login azureacrServer -u servicePrincipalId -p sppassword
使用服务主体docker login azureacrServer -u servicePrincipalId -p sppassword
。 In this way, you just have the permission of the service principal after logging in. I try and the result like the screenshot shows below:这样,登录后就只有服务主体的权限了,我试了一下,结果如截图所示:
This service principal is just set as a Reader.此服务主体仅设置为 Reader。 So we cannot push the image.所以我们不能推送图像。
You can get the details about the service principal of Azure container registry with the command az role assignment list --scope acrId
, the command will show all the service principals of the registry.您可以使用命令az role assignment list --scope acrId
获取有关 Azure 容器注册表服务主体的详细信息,该命令将显示注册表的所有服务主体。 The command az acr show --resource-group groupName --name acrName --query id --output tsv
will show you the registry Id.命令az acr show --resource-group groupName --name acrName --query id --output tsv
将显示注册表 ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.