Azure Service Principal pull images from Container Registry

3
votes

I have created a Azure Service Principal like this

az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role reader

after logging in (az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID) I am able to see all the images (az acr repository list --name $ACR_REGISTRY_NAME) which are in my registry, but I can not push or pull images (docker pull myregistry.azurecr.io/myimage:latest).

Are there any permissions I am not aware of? I have tried the similar with other roles like owner or contributor, but also SPs are getting the same error, which is the following:

Error response from daemon: Get https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest: unauthorized: authentication required

Update 14. of August:

I am also not able to docker login with the SP

Error response from daemon: Get myregistry.azurecr.io/v2: unauthorized: authentication required

2
azuredockerazure-cliazure-container-registryservice-principal
Looking your error seems you need to docker login first.jesugmz

2 Answers

4
votes

You need to login to the registry using docker login

docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword

Refer to: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal

4
votes

For the Azure Container Registry, there are two ways to log in.

One is that log in with the command az acr login -n azureacrServer -u username -p password, you have the owner permission after logging in.

The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword. In this way, you just have the permission of the service principal after logging in. I try and the result like the screenshot shows below:

enter image description here

This service principal is just set as a Reader. So we cannot push the image.

enter image description here

You can get the details about the service principal of Azure container registry with the command az role assignment list --scope acrId, the command will show all the service principals of the registry. The command az acr show --resource-group groupName --name acrName --query id --output tsv will show you the registry Id.