kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

ACR authentication

Open romanzdk opened this issue 2 years ago • 8 comments

I am trying to push my image into Azure Container Registry. I am creating config.json like this:

cat << EOF > /kaniko/.docker/config.json
{
  "auths": {
        "$(ACR)": {
          "username":"$(username)",
          "password":"$(password)"
        }
  }
}
EOF

However I am getting error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "ACR.azurecr.io/example-project:latest": creating push check transport for ACR.azurecr.io failed: GET https://ACR.azurecr.io/oauth2/token?scope=repository%3Aexample-project%3Apush%2Cpull&service=ACR.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.

Also tried this way:

creds="$(echo "$(username):$(password)" | base64)"
cat << EOF > /kaniko/.docker/config.json
{
  "auths": {
        "$(ACR)": {
          "auth":"${creds}"
        }
  }
}
EOF

and

token="$(az acr login --name $(ACR) --expose-token | jq -r '.accessToken')"
cat << EOF > /kaniko/.docker/config.json
{
  "auths": {
        "$(ACR)": {
          "identityToken":"${token}"
        }
  }
}
EOF

with same error...

Credentials are for Service principal who has Contributor role for ACR. When I use az login --service-principal .. and az acr login ... on my local machine with the same credentials I get no error....

I have no idea what else should I try..

Destination parameter is as follows: --destination $(ACR)/$(app-name):latest Kaniko image: latest Running on: Ubuntu18.04 container

romanzdk avatar Apr 21 '22 12:04 romanzdk

No one?

romanzdk avatar Apr 28 '22 11:04 romanzdk

Getting the same error :/

Chuvisco88 avatar May 31 '22 12:05 Chuvisco88

@romanzdk did you get this ever to work since end of april?

Chuvisco88 avatar Jul 08 '22 08:07 Chuvisco88

No, we switched to completely different solution, nonetheless, it looks like this approach is simply not supported by Kaniko.

romanzdk avatar Jul 08 '22 11:07 romanzdk

You have to set three environment variables: AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_TENANT_ID

And do this: mkdir -p /kaniko/.docker echo "{\"credHelpers\":{\"somevalue.azurecr.io\":\"acr-env\"}}" > /kaniko/.docker/config.json

dza89 avatar Jul 29 '22 13:07 dza89

This is an old post, but anyways. I was just wondering, whether it is possible to do this without a service principal, but instead using a managed identity? Thanks!

nunopedrosilva avatar Apr 13 '23 09:04 nunopedrosilva

Still no update on this? It would be really helpful

twanbeeren avatar Feb 21 '24 12:02 twanbeeren