Azure Container Registry - 401 Unauthorized error

0
votes

I've been trying to push my docker images into my Organization's Azure container registry but it's failing again and again with 401 error. I knew 401 error is with respect to authentication/authorization but I tried giving both "Azure Service Principal ID" which has contributor access to ACR and also "Azure container registry admin access keys". End result is same, getting 401 unauthorized error.

I presume "Contributor" role to ACR is more than enough to play around with it as it will have pretty much all privileges.

Also what confusing me more is getting 401 error even if I use ACR Admin access keys which I believe will have all sufficient privileges.

I tried to replicate the same scenario with my own azure account where I didn't get this error. I tried all possibilities and everything worked like charm in my account.

Am I missing something or going wrong anywhere?

1
azureauthenticationazure-container-registry
Normally the role AcrPush is enough. How are you pushing your image ? through devops pipeline ?Thomas
Did you make sure to login to your container registry az acr login --name YourContainerRegistryName before pushing to container registry?hafij
@Thomas Contributor role not suffice to push images? is AcrPush role also required?. I have set up a gitlab runner in AKE and through kaniko I'm trying to push the image to ACR. To my surprise, I did not get this error code when I push the images from my workstation through docker.Prasa2166
contributor is good also. Which SP have you been granted the contributor role ?Thomas
Any updates on this question? Does it solve your problem?Charles Xu

1 Answers

1
votes

It seems wired. Generally, the admin access key has all the permission to manage the ACR. So it must have the ability to push the image into the ACR.

Usually, the possible reasons to get the authentication are here:

  1. the service principal does not have enough permission from the ACR, this includes assigning a wrong role or a wrong scope. So you can check the role assignment if the role and the scope are right.
  2. don't log in for the ACR with the right server URL, so this needs you to login again with the right server URL and the credential
  3. the image name and the tag don't match the ACR that you have permission to push, so you need to check the image name if it's right. For example, myacr.azurecr.io/image:tag