401 Unauthorized to sign image for Azure Container Registry

0
votes

I am trying to push signed images to an Azure Container Registry. I get the error 'failed to sign : you are not authorized to perform this operation: server returned 401' even though all the RBAC permissions are in place and I am logged in with the right credentials.

I have created an ACR in a personal (developer's) Azure account. I followed the instructions explained in this article. I have enabled Content Trust in the Container Registry resource.

I am registered as user in Azure AD, and I have assigned myself the following roles for the container registry resource: - Owner - AcrImageSigner - AcrPush

I have logged in to Azure using az login and then I logged in into my container registry with ac acr login --resource-group <MY_RESOURCE_GROUP> --name <ACR_NAME>

*Edit - alternatively, I tried enabling admin account on my ACR and using docker login with the admin account credentials, same result.

I am able to see the roles assigned to myself via the Azure CLI, and I have checked that I am logged in with the same credentials. I also tried enabling and disabling the administrator access key

These are the commands I use to push a signed image to ACR from my windows machine: set DOCKER_CONTENT_TRUST=1

docker push <ACR_SERVER>/<IMAGE_NAME>:<TAG>

The image is pushed to the repository, but is not signed. These are the logs: 

The push refers to repository [MY_ACR_NAME.azurecr.io/appname]
4a85926cec01: Layer already exists
349c7f00d08e: Layer already exists
370f72f4d447: Layer already exists
8dc6654a61c6: Layer already exists
8fa655db5360: Layer already exists
latest: digest: sha256:<A_VERY_LONG_SHA> size: 1375
Signing and pushing trust metadata
Enter passphrase for root key with ID 0c6a1f8:
Enter passphrase for new repository key with ID 96c45d3:
Repeat passphrase for new repository key with ID 96c45d3:
Finished initializing "MY_ACR_NAME.azurecr.io/appname"
failed to sign MY_ACR_NAME.azurecr.io/appname: you are not authorized to perform this operation: server returned 401.

I expect to be able to sign the image since I am authenticated and I have the proper roles. I hope somebody can help me figure out what I am missing!

  • Edit 2: I tried just pulling the hello-world image from docker and signing it, to eliminate the possibility that I cannot 'sign third-party images'. Same result.
1
azuredockerazure-container-registry

1 Answers

0
votes

According to this solution:

The root cause is that the permission list is not recognizable by ACR if the current login user has a classic subscription administrator role, such as Service Administrator and Co-Administrator.

Signing containers with an user principal (Azure AD account) fails at this moment if the user has the service administrator credentials, basically if you are trying to sign containers to your own private repository. Signing and pulling signed containers with service principal credentials is not a problem.