Unable to get the service connection for Azure Container Registry in Azure DevOps (Release Pipeline)

1
votes

I'm trying to deploy the docker container on Azure App Service from Azure DevOps services. I've pushed the docker image to Azure Container Registry. When I try to create the release definition, I could not able to find the service connection for Azure Container Registry. I have created the service connection for ACR but it's not showing up in the list in Azure DevOps portal.

enter image description here

When I selected 'Azure Container Repository' as the source type, the service connection is not visible in the drop down box. I'm using DockerHub as another option. It's displaying the service connection in the list.

The steps I followed to create the service connection for ACR:

  1. Selected Docker Registry from the list.
  2. Selected Azure Container Registry as Registry Type. Provided the subscription ID and the registry from ACR.
  3. Provided the service connection name and saved.

UPDATE

I have created service connection for Azure Resource Manager using managed identity authentication by providing both subscription id and tenant id. I'm trying to use this connection in Artifact settings. I got the below error.

Variable with name endpoint.serviceprincipalid could not be found for the given service connection.

enter image description here

It's failing to pull the docker image from ACR. The logs from App service shows the pull access denied for the repository.

Service Connection problem solved but facing docker permission issue from App service

2020-02-10 12:31:11.781 INFO  - Pulling image from Docker hub: 
kbdockerregis/kbdockerimage:15

2020-02-10 12:31:14.406 ERROR - DockerApiException: Docker API responded with 
status code=NotFound, response={"message":"pull access denied for 
kbdockerregis/kbdockerimage, repository does not exist or may require 'docker 
login': denied: requested access to the resource is denied"}

2020-02-10 12:31:14.408 ERROR - Image pull failed: Verify docker image 
configuration and credentials (if using private repository)

2020-02-10 12:31:14.412 INFO  - Stoping site kbapp1 because it failed during 
startup.
1
azure-devopsazure-pipelinesazure-pipelines-release-pipelineazure-container-registry
I am focusing on this and continue on your second error. For your first error, it just because here it only fetch the service connection that type is azurerm.Merlin Liang - MSFT
Could you press F12, and then click on refresh button which shown in this pic? imgur.com/a/mFj7UMZ Next, choose the service connection that you faced above error. Let me know what you saw from F12.Merlin Liang - MSFT
I checked our source code, and endpoint.serviceprincipalid is the one which will be added into headers when applying ACR in source. But want to know what's happening on your side.Merlin Liang - MSFT
@MerlinLiang-MSFT The site keep loading. It takes time to display the release settings(Artifact and Staging).Kumaresh Babu N S
Check my below message, and let me know whether Service Principal Authentication solved the error.Merlin Liang - MSFT

1 Answers

1
votes

When I selected 'Azure Container Repository' as the source type, the service connection is not visible in the drop down box.

For this first issue, this because the api our system used is shown as below while you choosing ACR as release source:

https://dev.azure.com/{org}/{project}/_apis/serviceendpoint/endpoints?type=azurerm

You can see the parameters this api attached is type=azurerm. It only fetched the service connection which type is Azure Resource Manager. But Container Registry does not belong to this.

So, you'd better to create and use a service connection which type is Azure Resource Manager type.

Variable with name endpoint.serviceprincipalid could not be found for the given service connection.

For this second issue, haven't get too much info from you (like checking stake trace). So based on my known, I'd suggest you changed the type from Managed Identity Authentication to Service Principal Authentication. Then follow this doc to config it.

This is more secure and can authorized firstly.

enter image description here

Service Principal Client id, it is the application id after you create the app in Azure app registrations:

enter image description here

Service principal key:

enter image description here

Stack overflow is a open forum and not secure to share some key info(especially Fiddler trace) which I need and used to investigate from backend. You'd better go here because you could choose Microsoft Only there. If possible, I can go that community and let that community's engineer show it to me. So that I could continue dig into it.