stackoom
  简体   繁体   中英

Azure Service Principal pull images from Container Registry

 原文  2018-08-13 22:42:44       azure/ docker/ azure-cli/ azure-container-registry/ service-principal

Question

I have created a Azure Service Principal like this

az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role reader

after logging in ( az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID ) I am able to see all the images ( az acr repository list --name $ACR_REGISTRY_NAME ) which are in my registry, but I can not push or pull images ( docker pull myregistry.azurecr.io/myimage:latest ).

Are there any permissions I am not aware of? I have tried the similar with other roles like owner or contributor , but also SPs are getting the same error, which is the following:

Error response from daemon: Get https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest : unauthorized: authentication required

Update 14. of August:

I am also not able to docker login with the SP

Error response from daemon: Get myregistry.azurecr.io/v2: unauthorized: authentication required

2 answers

solution1
 4  2018-08-13 23:00:38

You need to login to the registry using docker login

docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword

Refer to: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal

solution2
 4  2018-08-14 08:35:31

For the Azure Container Registry, there are two ways to log in.

One is that log in with the command az acr login -n azureacrServer -u username -p password , you have the owner permission after logging in.

The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword . In this way, you just have the permission of the service principal after logging in. I try and the result like the screenshot shows below:

在此处输入图片说明

This service principal is just set as a Reader. So we cannot push the image.

在此处输入图片说明

You can get the details about the service principal of Azure container registry with the command az role assignment list --scope acrId , the command will show all the service principals of the registry. The command az acr show --resource-group groupName --name acrName --query id --output tsv will show you the registry Id.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AD Service Principal for Azure Container Registry from Azure Batch container configuration? Pull images from an Azure container registry to a Kubernetes cluster Unable to pull image from Azure Container Registry How to pull images from Azure Container Registry when using K3s? Can't pull image from Azure Container Registry - pull denied How to pull container image from docker registry to deploy azure container One or more properties contains invalid values when create service principal for Azure Container Registry How to authenticate with azure container registry using cert-based service principal WSL - Can't login or pull image from an azure container registry Issue of while Authenticate with Azure Container Registry from Azure Kubernetes Service
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM