Resource access denied when pushing container to Azure Container Registry

1
votes

When pushing containers into a private Azure Container Registry using Docker Compose the Azure DevOps pipeline returns the following error:

Pushing [container] ([registry]/[app]:latest)...

The push refers to repository [docker.io/[registry]/[container]]

denied: requested access to the resource is denied

The azure-pipeline.yml file is taken from the Docker Compose example shown in the Microsoft Microservices eShopOnContainer example, here:

variables:
azureContainerRegistry: myregistry
azureSubscriptionEndpoint: My Service Principle
...
task: DockerCompose@0
    displayName: Compose push customer API
    inputs:
        containerregistrytype: Azure Container Registry
        azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
        azureContainerRegistry: $(azureContainerRegistry)
        dockerComposeCommand: 'push [container]'
        dockerComposeFile: docker-compose.yml
        qualifyImageNames: true
        projectName: ""
        dockerComposeFileArgs: |
           TAG=$(Build.SourceBranchName)

The service principle is in the AcrPush role.

1
dockerdocker-composeazure-devopsdevopsazure-container-registry
Do you try to set the Content trust for build and push Docker images?Charles Xu
I'm only using a standard plan for the ACR in Azure, so that's disabled by default. Great shout, thought that could have been it!Ste Pammenter
Maybe you can try it. Hope it works.Charles Xu

1 Answers

1
votes

The solution is to be explicit with the container name. The documentation is misleading as it states firstly that: the containerregistrytype is Azure Container Registry by default. The example goes on to give Contoso as the value for azureContainerRegistry.

This is wrong. You need to explicitly set this to the "Login server" value from Azure. Therefore the registry should be "contoso.azurecr.io". So the full example should be:

variables:
azureContainerRegistry: contoso.azurecr.io
azureSubscriptionEndpoint: Contoso
steps:
- task: DockerCompose@0
  displayName: Container registry login
  inputs:
      containerregistrytype: Azure Container Registry
      azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
      azureContainerRegistry: $(azureContainerRegistry)

This is why the push repo it was referring to was in fact: docker.io (public docker hub) as that must actually be the default whch explains the access denied error.