11

On attempt to login to Azure Container Registry with docker login command using Active Directory credentials I have faced the issue:

Error response from daemon: Get https://myregistry.azurecr.io/v2/: unauthorized: authentication required

It's maybe obvious thing, that there is a problem with permissions, but I could not find correct way to reach the goal.

Please note that:

az acr login --name myregistry works perfectly fine, and after that I was able to upload my image, but due to specific situation, I need a solution for docker login command and auth with AD credentials.

I tried to provide required permissons acrpull/acrpush/acrdelete to user using the following doc:

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal

but with no luck - the same output.

Is there any way to login to ACR with AD credentials using docker login?

DariyN
  • 466
  • 1
  • 6
  • 23

2 Answers2

19

The document that you following is the right way to create a service principal for container registry to auth. You need to assign the right role to the service principal. The role describes in the script:

# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles

When the service principal is ready. You can log in with the command docker login with the variables in the script like below:

docker login $ACR_NAME.azurecr.io -u $SP_APP_ID -p $SP_PASSWD

Then it works like this:

enter image description here

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thank you for the detailed answer Charles. This is exactly what I had performed in the first attempt. Could you please clarify one details here? How did you specify SP_APP_ID in the script? Is there User Object ID? – DariyN Sep 12 '19 at 06:43
  • 1
    @DariyN In the document you provide, it said you can create new sp or the existing sp. No matter which way, you can also use the command `az ad sp show --id http://yourSPName --query appId -o tsv` to get the SP APP ID. It's the application ID. – Charles Xu Sep 12 '19 at 06:52
  • @DariyN Glad it helps you. – Charles Xu Sep 12 '19 at 07:00
  • I am behind a proxy and I continue to get the ```unauthorized: authentication required``` I have added proxy information. Can access hub.docker.com, but not the Azure repository – CBBSpike Sep 18 '20 at 21:55
  • @CBBSpike Please ask a new question with more details so that more communities can help you. – Charles Xu Sep 21 '20 at 01:29
  • To get rid of the first WARNING message, you can tweak the command like so: `echo $SP_PASSWD | docker login $ACR_NAME.azurecr.io -u $SP_APP_ID --password-stdin` – mika.koshonson Jan 09 '23 at 14:07
3

Found the issue!!!! In my case port 443 was closed from within my network, even if using a proxy. Requested the network team to open 443 and everything started working fine.

Got love the security team!!! Better to leave port 80 open and close port 443, nothing wrong with that... SECURE
CBBSpike
  • 1,385
  • 1
  • 13
  • 18
  • Where exactly security team opened the port ? I am getting same timout for https `Error response from daemon: Get https://xxxxxxxx.azurecr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)` – Uday Kiran Jan 01 '21 at 21:25
  • I think they opened the proxy. Maybe the proxy was the one blocking it? Because it is the outbound that was getting blocked. – CBBSpike Jul 22 '21 at 13:51