acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

Running a task with az acr import results in access denied but docker pull/tag/push works

Open infbase opened this issue 3 years ago • 2 comments

Describe the bug When running a task to copy an image between 2 private ACRs using "az acr import" we get access denied on the destination ACR, which is also the one running the task. If instead of "az acr import" the task uses a sequence of docker pull/tag/push commands, the copy is successful.

To Reproduce

Task definition using az acr import

version: v1.1.0
secrets:
  - id: username
    keyvault: https://...
  - id: password
    keyvault: https://...
steps:
 - cmd: az login --identity
 - cmd: az acr import --name {{.Run.RegistryName}} --source cscm1nacr002.azurecr.io/dip-process-backend:1.4.7734 --image dip-process-backend:1.4.7734 --force --username {{.Secrets.username}} --password {{.Secrets.password}}

Output with az acr import

2021/08/19 15:41:53 Launching container with name: acb_step_1
ERROR: Deployment failed. Correlation ID: 025f7991-e511-4863-89fc-685ad8f580f1. Operation registries-fac9ea94-0103-11ec-adfc-0242ac120002 failed. Resource /subscriptions/ad5da976-b65a-480e-bf56-048dcf0a8657/resourceGroups/rgcm1hmalmt001/providers/Microsoft.ContainerRegistry/registries/cscm1hacr002 Access to cscm1hacr002.azurecr.io denied.

Task definition with docker commands

version: v1.1.0
secrets:
  - id: username
    keyvault: https://...
  - id: password
    keyvault: https://...
steps:
- cmd: az login --identity
- cmd: docker login cscm1nacr002.azurecr.io --username {{.Secrets.username}} --password {{.Secrets.password}}
- cmd: docker pull cscm1nacr002.azurecr.io/dip-process-backend:1.4.7734
- cmd: docker tag cscm1nacr002.azurecr.io/dip-process-backend:1.4.7734 cscm1hacr002.azurecr.io/dip-process-backend:1.4.7734
- push:
    - cscm1hacr002.azurecr.io/dip-process-backend:1.4.7734

Output with docker commands

Login Succeeded
(...)
Status: Downloaded newer image for cscm1nacr002.azurecr.io/dip-process-backend:1.4.7734
(...)
2021/08/19 15:38:32 Successfully pushed image: cscm1hacr002.azurecr.io/dip-process-backend:1.4.7734

Expected behavior The image should be successfully imported to cscm1hacr002 with the az acr import command

Any relevant environment information

  • Azure CLI: 2.25.0

infbase avatar Aug 19 '21 15:08 infbase

@infbase you might need to ensure trusted services are enabled:

Please see the important note here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-import-images

Changes to image import between two Azure container registries have been introduced as of January 2021:

Import to or from a network-restricted Azure container registry requires the restricted registry to allow access by trusted services to bypass the network. By default, the setting is enabled, allowing import. If the setting isn't enabled in a newly created registry with a private endpoint or with registry firewall rules, import will fail. In an existing network-restricted Azure container registry that is used as an import source or target, enabling this network security feature is optional but recommended.

https://docs.microsoft.com/en-us/azure/container-registry/allow-access-trusted-services#trusted-services

cc: @nathana1 @northtyphoon

adewaleo avatar Aug 23 '21 17:08 adewaleo

Hi @adewaleo,

Thanks for the remark. These ACRs are not network restricted so I believe that doesn't apply.

infbase avatar Sep 10 '21 08:09 infbase

Closing as this has been inactive for over three months. Please open a support ticket with our team for assistance.

terencet-dev avatar Nov 17 '22 20:11 terencet-dev