简体繁体 English

Azure 服务主体从容器注册表中拉取映像

[英]Azure Service Principal pull images from Container Registry

原文 2018-08-13 22:42:44 4 2 azure/ docker/ azure-cli/ azure-container-registry/ service-principal

I have created a Azure Service Principal like this我已经创建了这样的 Azure 服务主体

az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role reader

after logging in ( az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID ) I am able to see all the images ( az acr repository list --name $ACR_REGISTRY_NAME ) which are in my registry, but I can not push or pull images ( docker pull myregistry.azurecr.io/myimage:latest ).登录后（ az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID ）我可以看到我的注册表中的所有图像（ az acr repository list --name $ACR_REGISTRY_NAME ），但我无法推送或拉取图像（ docker pull myregistry.azurecr.io/myimage:latest ）。

Are there any permissions I am not aware of?是否有任何我不知道的权限？ I have tried the similar with other roles like owner or contributor , but also SPs are getting the same error, which is the following:我已经尝试过类似的其他角色，如owner或contributor ，但 SP 也遇到了同样的错误，如下所示：

Error response from daemon: Get https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest : unauthorized: authentication required来自守护进程的错误响应：获取https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest ：未授权：需要身份验证

Update 14. of August: 8 月 14 日更新：

I am also not able to docker login with the SP我也无法使用 SP 进行 docker 登录

Error response from daemon: Get myregistry.azurecr.io/v2: unauthorized: authentication required来自守护进程的错误响应：获取 myregistry.azurecr.io/v2：未经授权：需要身份验证

2 个解决方案

You need to login to the registry using docker login您需要使用 docker login 登录到注册表

docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword

Refer to: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal请参阅： https : //docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal

For the Azure Container Registry, there are two ways to log in.对于 Azure 容器注册表，有两种登录方式。

One is that log in with the command az acr login -n azureacrServer -u username -p password , you have the owner permission after logging in.一种是使用命令az acr login -n azureacrServer -u username -p password拥有了owner权限。

The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword .另一种是使用命令docker login azureacrServer -u servicePrincipalId -p sppassword使用服务主体docker login azureacrServer -u servicePrincipalId -p sppassword 。 In this way, you just have the permission of the service principal after logging in. I try and the result like the screenshot shows below:这样，登录后就只有服务主体的权限了，我试了一下，结果如截图所示：

This service principal is just set as a Reader.此服务主体仅设置为 Reader。 So we cannot push the image.所以我们不能推送图像。

You can get the details about the service principal of Azure container registry with the command az role assignment list --scope acrId , the command will show all the service principals of the registry.您可以使用命令az role assignment list --scope acrId获取有关 Azure 容器注册表服务主体的详细信息，该命令将显示注册表的所有服务主体。 The command az acr show --resource-group groupName --name acrName --query id --output tsv will show you the registry Id.命令az acr show --resource-group groupName --name acrName --query id --output tsv将显示注册表 ID。