acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

acr import fails with acrpush role

Open SteveLasker opened this issue 5 years ago • 10 comments

Describe the bug When running az acr import, under a task with acrpush rights, I receive a failure of unkonwn registry.

To Reproduce Steps to reproduce the behavior:

  1. create a sp with acrpush rights
  2. az acr login, with the sp user/pwd
  3. az acr import --name contosobaseimages --source docker.io/library/node:9-alpine -t staging/node:9-alpine --force

ERROR: The resource with name 'contosobaseimages' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription 'SteveLas-Internal (daae1e1a-63dc-454f-825d-b39289070f79)'.

Expected behavior acrpush rights to work.

Work around I had to assign contributor rights to get this flow to work. Which is much more than Import should require.

SteveLasker avatar Oct 08 '19 23:10 SteveLasker

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-import-images#prerequisites

sajayantony avatar Oct 09 '19 21:10 sajayantony

Clarifying for next steps:

  • contributor is required today
  • we should enhance it to work with limited acrpush rights

SteveLasker avatar Oct 09 '19 23:10 SteveLasker

Testing @Azure/azure-container-registry

sajayantony avatar Mar 30 '20 18:03 sajayantony

Any updates on the status of this? Thanks!

rtaylor72 avatar Aug 03 '20 15:08 rtaylor72

@rtaylor72, before we have a built-in role on this, it is relatively easy to create you a custom role with the minimum permission. Below there is a template. You can save it to a file like acrImport.json and then invoke az role definition create --role-definition c:\temp\acrImport.json to create a role. To demonstrate the whole e2e, I also list other commands for verification. One catch is you should give it a min or so to wait for the role propagated.

 {
   "assignableScopes": [
     "/subscriptions/<optional, but you can limit the visibility to a few subscriptions>"
   ],
   "description": "acr image import",
   "Name": "AcrImport",
   "permissions": [
     {
       "actions": [
         "Microsoft.ContainerRegistry/registries/push/write",
         "Microsoft.ContainerRegistry/registries/pull/read",
         "Microsoft.ContainerRegistry/registries/read",
         "Microsoft.ContainerRegistry/registries/importImage/action"
       ],
       "dataActions": [],
       "notActions": [],
       "notDataActions": []
     }
   ],
   "roleType": "CustomRole"
 }

Rest commands to consume the role:

az acr create -g test -n yugangwimport --sku basic

az ad sp create-for-rbac -n import-test --role AcrImport --scope /subscriptions/<subscriptionId>/resourceGroups/test/providers/Microsoft.ContainerRegistry/registries/yugangwimport

az login -u <appID> -p <appSecret> -t <tenantID> --service-principal

az acr import -n yugangwimport --source docker.io/library/node:9-alpine -t staging/node:9-alpine

az acr login -n yugangwimport

az acr repository show -n yugangwimport -t staging/node:9-alpine

yugangw-msft avatar Aug 05 '20 22:08 yugangw-msft

CC @toddysm

yugangw-msft avatar Aug 05 '20 22:08 yugangw-msft

Thanks for the response! So the "Acr Push" role is missing the last 2 actions for the "az acr import" command to to work. At least we all know the minimal rights needed to run this. Thanks Again!

rtaylor72 avatar Aug 06 '20 05:08 rtaylor72

@rtaylor72, you are very welcome! And that is correct, the last 2 actions are the missing ones.

yugangw-msft avatar Aug 06 '20 16:08 yugangw-msft

@dlepow, could we add an article that explains how to do custom roles for ACR, using the above Import role as an example?

SteveLasker avatar Aug 07 '20 15:08 SteveLasker

@yugangw-msft image

Apparently there is a barrier for custom role on AD behind Premium Plan Is there any ETA regarding this role implementation?

EDIT

The role was not AD Level but on acr level

tokidoki11 avatar Dec 28 '22 05:12 tokidoki11