Azure DevOps Pipelines push Docker image to Container Registry Denied

1
votes

I am currently trying to use Azure Pipelines to build a Docker image and push it to the Azure Container Registry. I have a Service Connection setup, and but the build is failing with "denied." I suspect the reason for this is because my Container Registry is setup to only allow from "selected networks" and is restricted to a few IPs. I validated this by temporarily allowing all networks, and then the build/push succeeded.

Is there any way to get Azure Pipelines to successfully push a Docker image to the Container Registry that is only allowing selected networks? I thought that was what the Service Connection was for?

Selected Networks image

2
azuredockerazure-devopsazure-container-registry
Usually that access can be configured in the firewall. You might have to add a rule specifically for that service connection. I have not tested this as this requires Premium SKU.Philip

2 Answers

2
votes

I'm afraid you're right. The possible reason is that you set it as select networks and do not add the IP address of the DevOps to allow the traffic. As I know, the IP address of the DevOps will change over time, here is the description:

In some setups, you may need to know the range of IP addresses where agents are deployed. For instance, if you need to grant the hosted agents access through a firewall, you may wish to restrict that access by IP address. Because Azure DevOps uses the Azure global network, IP ranges vary over time.

So you need to allow an IP range, not the single IP address. And it's not a secure way. Well, the most secure way from my experience is that control the access permission for all the people, not the networks. You can create multiple service principals and grant them with different roles to control the permission. For example, use the role AcrPull, it only has permission to pull the images. More details about the roles here. You can even control the permission on the repositories, here is more message about it.

By the way, the firewall to select the networks, I think it's more suitable for the resources inside the Azure, for this, you can use the endpoint to achieve it.

1
votes

Please make sure that your service connection has AcrPush permission.

You can check it or add if needed here:

enter image description here

(You will find your connection under name 'your-organization-your-project')