azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard
verified publisher icon Azure

Connect-AzContainerRegistry fails to login for system user

Open joellopes03 opened this issue 4 years ago • 9 comments

Connect-AzContainerRegistry command fails for system user on windows ADO agent it works fine when I login and run command as admin.

Commands:

  • Connect-AzAccount -ServicePrincipal -TenantId $tenantid -ApplicationId $appid -CertificateThumbprint $thumbprint -SendCertificateChain -Scope Process
  • Connect-AzContainerRegistry -Name $acr -Verbose

Output

 Login with Azure CLI using service principal
 DEBUG: Sought all Az modules and got latest version 0.0.0
 DEBUG: 1:04:25 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet
 'ServicePrincipalCertificateWithSubscriptionId'.
 WARNING: This function is in preview. It may not be available in the selected subscription.
 DEBUG: 1:04:25 PM - Autosave setting from startup session: 'CurrentUser'
 DEBUG: 1:04:25 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
 DEBUG: 1:04:25 PM - Setting Autosave scope to 'Process' as specified in the cmdlet parameters.
 DEBUG: 1:04:25 PM - Using Autosave scope 'Process'
 DEBUG: 1:04:25 PM - [ServicePrincipalAuthenticator] Calling ClientCertificateCredential.GetTokenAsync -
 Thumbprint:'XXXXXXXXXXXXXXXXX', ApplicationId:'XXXXXXXXXXX',
 TenantId:'XXXXXXXXXXXXX', Scopes:'https://management.core.windows.net//.default',
 AuthorityHost:'https://login.microsoftonline.com/'
 DEBUG: ClientCertificateCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ]
 ParentRequestId:
 DEBUG: Request [1e1fcebb-6a09-4175-a873-9c343df02bf7] GET
 https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED
 x-client-SKU:REDACTED
 x-client-Ver:REDACTED
 x-client-CPU:REDACTED
 x-client-OS:REDACTED
 client-request-id:REDACTED
 return-client-request-id:REDACTED
 x-app-name:REDACTED
 x-app-ver:REDACTED
 x-ms-client-request-id:1e1fcebb-6a09-4175-a873-9c343df02bf7
 x-ms-return-client-request-id:true
 User-Agent:azsdk-net-Identity/1.4.0 (.NET Framework 4.8.4400.0; Microsoft Windows 10.0.20348 )
 client assembly: Azure.Identity
 DEBUG: Response [1e1fcebb-6a09-4175-a873-9c343df02bf7] 200 OK (00.1s)
 Strict-Transport-Security:REDACTED
 X-Content-Type-Options:REDACTED
 Access-Control-Allow-Origin:REDACTED
 Access-Control-Allow-Methods:REDACTED
 client-request-id:REDACTED
 x-ms-request-id:177a299f-2052-4117-9d90-47c848970300
 x-ms-ests-server:REDACTED
 Cache-Control:max-age=86400, private
 Content-Type:application/json; charset=utf-8
 P3P:REDACTED
 Set-Cookie:REDACTED
 Date:Wed, 15 Sep 2021 20:04:25 GMT
 Content-Length:980
 DEBUG: Request [fc68cd29-65e1-49de-afb8-80623ed1f660] POST
 https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token
 x-client-SKU:REDACTED
 x-client-Ver:REDACTED
 x-client-CPU:REDACTED
 x-client-OS:REDACTED
 x-client-current-telemetry:REDACTED
 x-client-last-telemetry:REDACTED
 x-ms-PKeyAuth:REDACTED
 x-ms-lib-capability:REDACTED
 client-request-id:REDACTED
 return-client-request-id:REDACTED
 x-app-name:REDACTED
 x-app-ver:REDACTED
 Content-Type:application/x-www-form-urlencoded
 x-ms-client-request-id:fc68cd29-65e1-49de-afb8-80623ed1f660
 x-ms-return-client-request-id:true
 User-Agent:azsdk-net-Identity/1.4.0 (.NET Framework 4.8.4400.0; Microsoft Windows 10.0.20348 )
 client assembly: Azure.Identity
 DEBUG: Response [fc68cd29-65e1-49de-afb8-80623ed1f660] 200 OK (00.1s)
 Pragma:no-cache
 Strict-Transport-Security:REDACTED
 X-Content-Type-Options:REDACTED
 client-request-id:REDACTED
 x-ms-request-id:47b917b4-72d8-47d8-8105-127bc03d4600
 x-ms-ests-server:REDACTED
 x-ms-clitelem:REDACTED
 Cache-Control:no-store, no-cache
 Content-Type:application/json; charset=utf-8
 Expires:-1
 P3P:REDACTED
 Set-Cookie:REDACTED
 Date:Wed, 15 Sep 2021 20:04:26 GMT
 Content-Length:1381
 DEBUG: ClientCertificateCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ]
 ParentRequestId: ExpiresOn: 2021-09-16T20:04:25.0000000+00:00
 DEBUG: ============================ HTTP REQUEST ============================

 HTTP Method:
 GET

 Absolute Uri:
 https://management.azure.com/subscriptions?api-version=2021-01-01

 Headers:
 x-ms-client-request-id : ba66da67-5990-4584-81da-ebf04a54484c
 accept-language : en-US

 Body:


 DEBUG: ============================ HTTP RESPONSE ============================

 Status Code:
 OK

 Headers:
 Pragma : no-cache
 x-ms-ratelimit-remaining-tenant-reads: 11999
 x-ms-request-id : 67a84dbd-050f-48ae-9adf-4dfa8ac849f2
 x-ms-correlation-request-id : 67a84dbd-050f-48ae-9adf-4dfa8ac849f2
 x-ms-routing-request-id : NORTHEUROPE:20210915T200426Z:67a84dbd-050f-48ae-9adf-4dfa8ac849f2
 Strict-Transport-Security : max-age=31536000; includeSubDomains
 X-Content-Type-Options : nosniff
 Cache-Control : no-cache
 Date : Wed, 15 Sep 2021 20:04:25 GMT

 Body:
 {
 "value": [
 {
 "id": "/subscriptions/yyyyyyyyyyyyyyyyyyyyyy",
 "authorizationSource": "RoleBased",
 "managedByTenants": [],
 "subscriptionId": "yyyyyyyyyyyyyyyyyyyyyy",
 "tenantId": "xxxxxxxxxxxxxxxxxxxxxx",
 "displayName": "zzzzzzzzzzzzzzzzzzz",
 "state": "Enabled",
 "subscriptionPolicies": {
 "locationPlacementId": "Internal_2014-09-01",
 "quotaId": "Internal_2014-09-01",
 "spendingLimit": "Off"
 }
 }
 ],
 "count": {
 "type": "Total",
 "value": 1
 }
 }

 DEBUG: 1:04:26 PM - [ServicePrincipalAuthenticator] Calling ClientCertificateCredential.GetTokenAsync -
 Thumbprint:'aaaaaaaaaaaaaaaaaaaaa', ApplicationId:'aaaaaaaaaaaaaaaaaaaaa',
 TenantId:'xxxxxxxxxxxxxxxxxxxxxx', Scopes:'https://management.core.windows.net//.default',
 AuthorityHost:'https://login.microsoftonline.com/'
 DEBUG: ClientCertificateCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ]
 ParentRequestId:
 DEBUG: Request [08c9c4b8-a114-478f-be3d-bb55d801eb1c] POST
 https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token
 x-client-SKU:REDACTED
 x-client-Ver:REDACTED
 x-client-CPU:REDACTED
 x-client-OS:REDACTED
 x-client-current-telemetry:REDACTED
 x-client-last-telemetry:REDACTED
 x-ms-PKeyAuth:REDACTED
 x-ms-lib-capability:REDACTED
 client-request-id:REDACTED
 return-client-request-id:REDACTED
 x-app-name:REDACTED
 x-app-ver:REDACTED
 Content-Type:application/x-www-form-urlencoded
 x-ms-client-request-id:08c9c4b8-a114-478f-be3d-bb55d801eb1c
 x-ms-return-client-request-id:true
 User-Agent:azsdk-net-Identity/1.4.0 (.NET Framework 4.8.4400.0; Microsoft Windows 10.0.20348 )
 client assembly: Azure.Identity
 DEBUG: Response [08c9c4b8-a114-478f-be3d-bb55d801eb1c] 200 OK (00.0s)
 Pragma:no-cache
 Strict-Transport-Security:REDACTED
 X-Content-Type-Options:REDACTED
 client-request-id:REDACTED
 x-ms-request-id:47b917b4-72d8-47d8-8105-127bd13d4600
 x-ms-ests-server:REDACTED
 x-ms-clitelem:REDACTED
 Cache-Control:no-store, no-cache
 Content-Type:application/json; charset=utf-8
 Expires:-1
 P3P:REDACTED
 Set-Cookie:REDACTED
 Date:Wed, 15 Sep 2021 20:04:26 GMT
 Content-Length:1381
 DEBUG: ClientCertificateCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ]
 ParentRequestId: ExpiresOn: 2021-09-16T20:04:25.0000000+00:00
 DEBUG: ============================ HTTP REQUEST ============================

 HTTP Method:
 GET

 Absolute Uri:
 https://management.azure.com/subscriptions?api-version=2021-01-01

 Headers:
 x-ms-client-request-id : ba66da67-5990-4584-81da-ebf04a54484c
 accept-language : en-US

 Body:


 DEBUG: ============================ HTTP RESPONSE ============================

 Status Code:
 OK

 Headers:
 Pragma : no-cache
 x-ms-ratelimit-remaining-tenant-reads: 11999
 x-ms-request-id : c65f5063-007d-45ff-9190-a5dcd6770c9c
 x-ms-correlation-request-id : c65f5063-007d-45ff-9190-a5dcd6770c9c
 x-ms-routing-request-id : NORTHEUROPE:20210915T200426Z:c65f5063-007d-45ff-9190-a5dcd6770c9c
 Strict-Transport-Security : max-age=31536000; includeSubDomains
 X-Content-Type-Options : nosniff
 Cache-Control : no-cache
 Date : Wed, 15 Sep 2021 20:04:26 GMT

 Body:
 {
 "value": [
 {
 "id": "/subscriptions/yyyyyyyyyyyyyyyyyyyyyy",
 "authorizationSource": "RoleBased",
 "managedByTenants": [],
 "subscriptionId": "yyyyyyyyyyyyyyyyyyyyyy",
 "tenantId": "xxxxxxxxxxxxxxxxxxxxxx",
 "displayName": "zzzzzzzzzzzzzzzzzzz",
 "state": "Enabled",
 "subscriptionPolicies": {
 "locationPlacementId": "Internal_2014-09-01",
 "quotaId": "Internal_2014-09-01",
 "spendingLimit": "Off"
 }
 }
 ],
 "count": {
 "type": "Total",
 "value": 1
 }
 }

 DEBUG: AzureQoSEvent: Module: Az.Accounts:2.5.3; CommandName: Connect-AzAccount; PSVersion: 5.1.20348.230; IsSuccess:
 True; Duration: 00:00:01.1115818
 DEBUG: Finish sending metric.
 DEBUG: 1:04:27 PM - ConnectAzureRmAccountCommand end processing.
 Logging into ACR: s
 DEBUG: 1:04:27 PM - ConnectAzureContainerRegistry begin processing with ParameterSet
 'WithoutNameAndPasswordParameterSet'.
 DEBUG: 1:04:27 PM - using account id 'aaaaaaaaaaaaaaaaaaaaa'...
 Account SubscriptionName TenantId Environment
 ------- ---------------- -------- -----------
 aaaaaaaaaaaaaaaaaaaaa zzzzzzzzzzzzzzzzzzz xxxxxxxxxxxxxxxxxxxxxx AzureCloud
 Connect-AzContainerRegistry : Error response from daemon: Get https://s.azurecr.io/v2/: unauthorized:
 authentication required, visit https://aka.ms/acr/authorization for more information.
 At X:\Maintenance_work\1\s\scripts\Patching\pullDockerImages.ps1:52 char:3
 + Connect-AzContainerRegistry -Name $acr -Verbose
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (Error response ...re information.:String) [Connect-AzContainerRegistry],
 RemoteException
 + FullyQualifiedErrorId : NativeCommandError,Microsoft.Azure.Commands.ContainerRegistry.ConnectAzureContainerRegis
 try
 DEBUG: 1:04:27 PM - [ServicePrincipalAuthenticator] Calling ClientCertificateCredential.GetTokenAsync -
 Thumbprint:'aaaaaaaaaaaaaaaaaaaaa', ApplicationId:'aaaaaaaaaaaaaaaaaaaaa',
 TenantId:'xxxxxxxxxxxxxxxxxxxxxx', Scopes:'https://management.core.windows.net//.default',
 AuthorityHost:'https://login.microsoftonline.com/'
 DEBUG: ClientCertificateCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ]
 ParentRequestId:
 DEBUG: Request [0caa40b3-1209-4f70-9de9-81e4e08236bd] POST
 https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token
 x-client-SKU:REDACTED
 x-client-Ver:REDACTED
 x-client-CPU:REDACTED
 x-client-OS:REDACTED
 x-client-current-telemetry:REDACTED
 x-client-last-telemetry:REDACTED
 x-ms-PKeyAuth:REDACTED
 x-ms-lib-capability:REDACTED
 client-request-id:REDACTED
 return-client-request-id:REDACTED
 x-app-name:REDACTED
 x-app-ver:REDACTED
 Content-Type:application/x-www-form-urlencoded
 x-ms-client-request-id:0caa40b3-1209-4f70-9de9-81e4e08236bd
 x-ms-return-client-request-id:true
 User-Agent:azsdk-net-Identity/1.4.0 (.NET Framework 4.8.4400.0; Microsoft Windows 10.0.20348 )
 client assembly: Azure.Identity
 DEBUG: Response [0caa40b3-1209-4f70-9de9-81e4e08236bd] 200 OK (00.1s)
 Pragma:no-cache
 Strict-Transport-Security:REDACTED
 X-Content-Type-Options:REDACTED
 client-request-id:REDACTED
 x-ms-request-id:04f8d105-eff3-4d44-898a-e635052d4b00
 x-ms-ests-server:REDACTED
 x-ms-clitelem:REDACTED
 Cache-Control:no-store, no-cache
 Content-Type:application/json; charset=utf-8
 Expires:-1
 P3P:REDACTED
 Set-Cookie:REDACTED
 Date:Wed, 15 Sep 2021 20:04:27 GMT
 Content-Length:1381
 DEBUG: ClientCertificateCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ]
 ParentRequestId: ExpiresOn: 2021-09-16T20:04:26.0000000+00:00
 DEBUG: ============================ HTTP REQUEST ============================

 HTTP Method:
 POST

 Absolute Uri:
 https://s.azurecr.io/oauth2/exchange

 Headers:
 x-ms-client-request-id : 18e184e9-4ade-48d4-bdf4-a46ff55fdc5b
 accept-language : en-US

 Body:
 grant_type=access_token&service=s.azurecr.io&access_token=""

 DEBUG: ============================ HTTP RESPONSE ============================

 Status Code:
 OK

 Headers:
 Transfer-Encoding : chunked
 Connection : keep-alive
 X-Ms-Correlation-Request-Id : 81721efa-6885-4494-bf98-517be46f6196
 x-ms-ratelimit-remaining-calls-per-second: 333.316667
 Strict-Transport-Security : max-age=31536000; includeSubDomains
 Date : Wed, 15 Sep 2021 20:04:27 GMT
 Server : openresty

 Body:
 {
 "refresh_token": ""
 }

 DEBUG: AzureQoSEvent: Module: Az.ContainerRegistry:2.2.3; CommandName: Connect-AzContainerRegistry; PSVersion:
 5.1.20348.230; IsSuccess: True; Duration: 00:00:00.6137526
 DEBUG: Finish sending metric.
 DEBUG: 1:04:28 PM - ConnectAzureContainerRegistry end processing.
 Using default tag: latest
 Error response from daemon: Head https://s.azurecr.io/v2/global/corext/manifests/latest: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
 Using default tag: latest
 Error response from daemon: Head https://s.azurecr.io/v2/global/vse2019/manifests/latest: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
 Docker registery is already running on host

 ##[section]Finishing: Pull docker images

joellopes03 avatar Sep 15 '21 21:09 joellopes03

Thanks for reporting. I have polished your log and have couple questions.

  1. Is the value of refresh_token in response of payload empty string or redacted?
  2. Could you try use the same service principal on your local machine instead of ADO agent?
  3. I saw it pull the tags. Is it invoked by Azure PowerShell cmdlet? If yes, please share the debug log around it.

dingmeng-xue avatar Sep 17 '21 05:09 dingmeng-xue

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

msftbot[bot] avatar Sep 24 '21 08:09 msftbot[bot]

  1. ["refresh_token": "<redacted>"] This is what i see in logs.
  2. It works when i invoke it by my login but authentication using service principal
  3. attached is all debug logs i get from commandline. Below is script i am using
$thumbprint = ((Get-ChildItem -Path cert:\LocalMachine\my | Where-Object { $_.Subject -match "<redacted>" -or $_.Subject -match "<redacted>" }) | Sort-Object -Property NotAfter -Descending).thumbprint	
Write-Host "Login with Azure CLI using service principal"
Connect-AzAccount -ServicePrincipal -TenantId <redacted> -ApplicationId <redacted> -CertificateThumbprint $thumbprint -SendCertificateChain -Scope Process
Connect-AzContainerRegistry -Name $acr -Verbose

Let me know if you would like additional flags for logs

joellopes03 avatar Sep 24 '21 23:09 joellopes03

I repeat your step but my service principal can connect container registry.

Please check the permission of your SP. Please follow this doc https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli and ensure your SP has sufficient permission.

dingmeng-xue avatar Sep 27 '21 06:09 dingmeng-xue

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

msftbot[bot] avatar Oct 04 '21 08:10 msftbot[bot]

I did tried running script as myself then running it as system account. Both time it worked. But when I run same script as ADO pipeline it fails. Did you tried running your script in ADO pipeline?

joellopes03 avatar Oct 04 '21 16:10 joellopes03

@joellopes03 Sorry for the delayed response. We've recently discovered that this is the problem within ADO pipeline. When using connect-azcontainerregestry in pipeline of Windows-2019 and Windows-2022, it would not work, and we have reported to ADO team. The workaround here is changing your agent to Ubuntu or other OS , or using a service connection to login azure container registry. We'll inform you under this issue as long as we get a response from ADO team. Thanks.

Nickcandy avatar Jul 22 '22 10:07 Nickcandy

@joellopes03 The ADO pipeline team replied right here: It seems that the problem here is related not to the task itself, but to specifics of the Powershell behavior on the hosted Windows agents. Passing password via pipeline in Powershell task works well on Ubuntu agents because they are provided with the PSCore instead of native Windows Powershell, so as a workaround you can switch the task to use preinstalled PSCore via pwsh: true argument (documentation).

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    pwsh: true
    script: |
        "some_password" | docker login $registry -u $user_name --password-stdin

It works as expected:

"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a_temp\b8563136-5a4a-46b1-8e15-48a5f9c62952.ps1'" Login Succeeded Finishing: PowerShell

I've tested and it worked for me. Please let me know if you have any further questions.

Nickcandy avatar Aug 02 '22 14:08 Nickcandy

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

msftbot[bot] avatar Aug 10 '22 08:08 msftbot[bot]