acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

ACR Task push fails to private registry using trusted services

Open tuge98 opened this issue 2 years ago • 3 comments

Hi,

We are using an approach to build and push images to private ACR registry using ACR tasks with managed identities. Currently the build works just fine but for some reason the push fails:

acr-task.yaml

version: v1.1.0
env:
  - DOCKER_BUILDKIT=1
steps:
  - build: -t <registry/image:tag> -f Dockerfile .
  - push: 
    - <registry/image:tag>

azure-pipelines.yaml :

                  az acr task create \
                  --name $(acrTaskName) \
                  --registry $(containerRegistryName) \
                  --resource-group $(resourceGroup) \
                  --assign-identity $(managedIdentityResourceId) \
                  --base-image-trigger-enabled true \
                  --commit-trigger-enabled false \
                  --context `$(azdoRepoUrl)\`
                  --file acr-task.yml \
                  --git-access-token $(azdo-pa-token) \
                  --timeout 10800 \
                  --auth-mode None \
                  --image $(imageRepository):$(tag) \
                  --platform linux/amd64

This is the output of the logs:

2023/10/02 13:30:18 Successfully set up Docker network: acb_default_network
2023/10/02 13:30:18 Setting up Docker configuration...
2023/10/02 13:30:19 Successfully set up Docker configuration
2023/10/02 13:30:19 Executing step ID: acb_step_0. Timeout(sec): 10800, Working directory: '<working_dir>', Network: 'acb_default_network'
2023/10/02 13:30:19 Scanning for dependencies...
2023/10/02 13:30:19 Successfully scanned dependencies
2023/10/02 13:30:19 Launching container with name: acb_step_0
#1 [internal] load build definition from Dockerfile
.... a lot of building stuff
#5 DONE 4.1s

#6 exporting to image
#6 naming to <registry/image:tag> done
#6 DONE 0.9s
2023/10/02 13:30:28 Successfully executed container: acb_step_0
2023/10/02 13:30:28 Executing step ID: acb_step_1. Timeout(sec): 10800, Working directory: '<working_dir>, Network: 'acb_default_network'
2023/10/02 13:30:28 Pushing image: registry/image:tag, attempt 1
The push refers to repository [registry/image]
bb27f8aef89a: Preparing
dc0585a4b8b7: Preparing
denied: client with IP '20.50.200.20' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.

Any advice?

tuge98 avatar Oct 03 '23 07:10 tuge98

Please check out https://writeinseattle.com/2023/05/12/azure-container-registry-tasks-access-network-restricted-registry/ to set up the tasks

  1. You need to enable system assigned managed identity.
  2. You need to enable system assigned managed identity login to the registry.

northtyphoon avatar Nov 06 '23 21:11 northtyphoon

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Jan 06 '24 01:01 github-actions[bot]

Hi @tuge98, following up if you still require assistance with your ask.

getk12 avatar Jan 28 '25 22:01 getk12

Closing as no response for some time. Please share more details if assistance is still needed.

getk12 avatar Jul 25 '25 20:07 getk12