Azure Service Principal pull images from Container Registry

Question

I have created a Azure Service Principal like this

az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role reader

after logging in (az login --service-principal -u $SERVICE_PRINCIPAL_NAME -p $SERVICE_PRINCIPAL_ID --tenant $TENANT_ID) I am able to see all the images (az acr repository list --name $ACR_REGISTRY_NAME) which are in my registry, but I can not push or pull images (docker pull myregistry.azurecr.io/myimage:latest).

Are there any permissions I am not aware of? I have tried the similar with other roles like owner or contributor, but also SPs are getting the same error, which is the following:

Error response from daemon: Get https://myregistry.azurecr.io/v2/myimage/latest/manifests/latest: unauthorized: authentication required

Update 14. of August:

I am also not able to docker login with the SP

Error response from daemon: Get myregistry.azurecr.io/v2: unauthorized: authentication required

for docker login you have pass the service principle clientId and password and service principal should have acrpull permission. — Gautam Sharma, Jun 09 '22 at 06:31

score 4 · Answer 1 · answered Aug 13 '18 at 23:00

4

You need to login to the registry using docker login

docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword

Refer to: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication#service-principal

answered Aug 13 '18 at 23:00

melsaqqa

194
1
5

5

Unfortunately that is not working either: > Error response from daemon: Get https://myregistry.azurecr.io/v2/: unauthorized: authentication required – zara Aug 13 '18 at 23:11
you have to replace with your login server – Hanu Nov 29 '18 at 08:33

Charles Xu · Answer 2 · 2018-08-14T09:29:28.213

For the Azure Container Registry, there are two ways to log in.

One is that log in with the command az acr login -n azureacrServer -u username -p password, you have the owner permission after logging in.

The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword. In this way, you just have the permission of the service principal after logging in. I try and the result like the screenshot shows below:

This service principal is just set as a Reader. So we cannot push the image.

You can get the details about the service principal of Azure container registry with the command az role assignment list --scope acrId, the command will show all the service principals of the registry. The command az acr show --resource-group groupName --name acrName --query id --output tsv will show you the registry Id.

Thank you for your detailed answer, the problem was actually in a completely different direction, for reference: https://github.com/docker/for-mac/issues/2295 — zara, Aug 14 '18 at 15:41
@zara So I suggest you get the information of service principal at the end of the answer.:-) — Charles Xu, Aug 15 '18 at 00:55

Azure Service Principal pull images from Container Registry

2 Answers2