2

I am following this tutorial showing how to develop IoT Edge modules with Linux containers.

I have created an Azure registry (I will call it myazureregistry).

Now I am trying to "docker push" the example module to this registry:

sudo docker push myazureregistry.azurecr.io/filtermodule:0.0.1-amd64

Alas, when running this command, I run into the following error:

unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.

I have checked the webpage. It states that:

The ability to docker push an image [...] requires authentication with the registry using the authorized identity.

But I have already successfully logged in using sudo az acr login --name myazureregistry

What am I missing here?

EDIT [09/04/2023]:

I checked the permissions listed here. My contributor role should allow me to push images.

enter image description here

Sheldon
  • 4,084
  • 3
  • 20
  • 41

2 Answers2

1

I've come across that error message many times when using a new service principal or even entirely new account and forgot to that user which I'm using to run the shell (where you used your sudo az acr login - command) a ACR specific role like "acr push" (which also allows for pulling images).

I haven't personally used the admin user on the ACR like you do here, but you would have to be using that identity in your command line tool to have access via that admin account. If you can do role assignements in the Azure AD linked to your subscription, try assigning a acr role like the one named above and do your workflow again. Hope it helps figuring out what identity is actually making the request to the ACR.

TobiasK
  • 45
  • 7
  • Thanks for your answer, @TobiasK. I checked my roles assignments: my **contributor** role should allow me to push images (see edited question above). Are you suggesting that there is a mismatch between the "identity" used to docker push from my computer’s CLI and the one used to access the Azure portal? – Sheldon Apr 09 '23 at 17:59
  • Hi Sheldon, okay, sounds like you know that your using a /your personal account or as MS calls it (learn.microsoft.com/en-us/azure/container-registry/…) a individual AD identity in the CLI as well. And yes, your contributor role shoulb be enough if the ACR is within the scope of your role assignment. From reading the other answer and comments there, I'm asking myself wether a acr login with the admin user does make your terminal session take on the identity of that admin user or if your back to your personal user when performing docker push. I'll try myself when I find time. Interessting!! – TobiasK Apr 10 '23 at 20:53
1

Did the command az acr login --name myazureregistry prompt for any password when you tried to execute it? If the az acr login command does not prompt for any credentials, it means that you are already authenticated to Azure using the Azure CLI. In this case, the command uses the existing authentication context to log you in to the specified Azure Container Registry (ACR) instance. It could be possible that user logged in does not have the desired permissions to push the image to the Azure container registry.

To resolve this, execute the following command before you login to the container registry.

docker login -u <ACR username> -p <ACR password> <ACR login server>

You can get the credentials from the Azure portal by navigating to the Azure container registry and Access keys section. Refer the below image.

enter image description here

Make sure that the Admin user option is enabled for the user.

LeelaRajesh_Sayana
  • 333
  • 1
  • 9
  • Thanks for your detailed anwser @LeelaRajet_Sayana. Yes, `az acr login --name myazureregistry` prompts me for a password. I am already using the username and password specified in the **Access keys** page, as shown in your post. I also confirm that the **Admin user** option is enabled. Alas, logging in using these parameters does not allow me to "docker push". – Sheldon Apr 09 '23 at 17:40
  • Hi @Sheldon, I would still suggest to use the `docker login` command before using `az acr login` as it might be needed to push the image. Please refer the steps [Sign in to Docker](https://learn.microsoft.com/en-us/azure/iot-edge/tutorial-develop-for-linux?view=iotedge-1.4&tabs=csharp&pivots=iotedge-dev-cli#sign-in-to-docker) in the article where it says you are required to login into docker before you can push the container image. – LeelaRajesh_Sayana Apr 10 '23 at 15:13