Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CLOSED]401 unauthorized when trying to push signed container to ACR #278

Closed
bdelsaz opened this issue Oct 1, 2019 · 12 comments
Closed

[CLOSED]401 unauthorized when trying to push signed container to ACR #278

bdelsaz opened this issue Oct 1, 2019 · 12 comments
Labels
bug

Comments

@bdelsaz
Copy link

@bdelsaz bdelsaz commented Oct 1, 2019

I am trying to push signed images to an Azure Container Registry. I get the error:
'failed to sign : you are not authorized to perform this operation: server returned 401.
This even though I have created all the RBAC roles in Azure AD and I am logged in with the right credentials (AcrImagePush and - AcrImageSigner ).
I am following the instructions in this Microsoft docs page

Steps to reproduce the behavior:

  1. Tagged my container with the full qualified name <ACR_NAME>/<CONTAINER_NAME>:
  2. I logged in to Azure using az login
  3. I logged in into my container registry with ac acr login --resource-group <MY_RESOURCE_GROUP> --name <ACR_NAME>
  4. Enabled 'Content trust' in my ACR (now it is a premium ACR)
  5. I refreshed my credentials in case the new roles had not been applied in my local CLI.
  6. I try to sign and push an image to ACR using:
    These are the commands I use to push a signed image to ACR from my windows machine: set DOCKER_CONTENT_TRUST=1
    docker push <ACR_SERVER>/<IMAGE_NAME>:<TAG>
  7. I write the correct passphrases.

These are the resulting logs

The push refers to repository [MY_ACR_NAME.azurecr.io/appname]
4a85926cec01: Layer already exists
349c7f00d08e: Layer already exists
370f72f4d447: Layer already exists
8dc6654a61c6: Layer already exists
8fa655db5360: Layer already exists
latest: digest: sha256:<A_VERY_LONG_SHA> size: 1375
Signing and pushing trust metadata
Enter passphrase for root key with ID 0c6a1f8:
Enter passphrase for new repository key with ID 96c45d3:
Repeat passphrase for new repository key with ID 96c45d3:
Finished initializing "MY_ACR_NAME.azurecr.io/appname"
failed to sign MY_ACR_NAME.azurecr.io/appname: you are not authorized to perform this operation: server returned 401.

Below the permissions on my Azure dashboard:
image

Expected behavior
I expect the signed container to be pushed to ACR in a 'signed' state

Environment information

  • OS: Windows 10.0.17763
  • Azure CLI version: 2.0.74
  • Docker version: 19.03.0-rc2
  • Using docker linux containers
  • Datetime (UTC) when the issue occurred: September 25th 2019

Additional context
I tried enabling enabling admin account on my ACR and using docker login with the admin account credentials. The result was the same.

@bdelsaz bdelsaz added the bug label Oct 1, 2019
@martinpf

This comment has been minimized.

Copy link
Contributor

@martinpf martinpf commented Oct 4, 2019

This is what happens when the AcrPush role assignment is there for the credential the docker client has cached for that registry but AcrImageSigner is not. Is there any chance the current credential the docker client is using for the registry is missing that role assignment?

@martinpf

This comment has been minimized.

Copy link
Contributor

@martinpf martinpf commented Oct 4, 2019

You could verify there are no docker client issues by doing a docker login using a service principal that has both AcrPush and AcrImageSigner roles assigned to the registry.

@bdelsaz

This comment has been minimized.

Copy link
Author

@bdelsaz bdelsaz commented Oct 5, 2019

@martinpf thanks so much for your response. I also suspect it has something to do with the docker client, something in the lines of AZ CLI is not passing the docker client the credentials.

When I do docker login with the admin account (after admin account is activated) of my ACR, I am able to login. But I cannot push containers, the access to the repository/resource is denied.

When I do docker login using my user credentials (username and password), which are the ones linked to the roles acrSignImage, acrPush etc., I get the response 'Error response from daemon: Get https://MY_ACR_NAME.azurecr.io/v2/: unauthorized: authentication required'

My docker config looks like this:

{
	"auths": {
		"MY_ACR_NAME.azurecr.io": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.0-rc2 (windows)"
	},
	"credsStore": "desktop",
	"stackOrchestrator": "swarm"
}

I am sure I am missing something here, still reading the docs


EDIT
More stuff I tried, after I read this link. ACR Credentials Manager should change the credsstore in my docker config, but it didn't on installation. My docker config was still using 'credsstore: desktop' as shown above.

So I was researching and found this issue . The workaround to refresh the docker config was to delete the credsstore entry, and let docker re-generate it on next login.

This is what my docker config looks like now after a succesful az acr login -n MY_ACR_NAME:

{
	"auths": {
		"MY_AZURE_ACR.azurecr.io": {
			"auth": "MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwOg==",
			"identitytoken": "<A_VERY_LONG_TOKEN>"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.0-rc2 (windows)"
	},
	"stackOrchestrator": "swarm"
}

The results are the same though.
docker login still shows unauthorized.
docker push asks me to provide passphrases etc, but still shows failed to sign MY_ACR_NAME.azurecr.io/IMAGE_NAME:v1: you are not authorized to perform this operation: server returned 401.

@bdelsaz

This comment has been minimized.

Copy link
Author

@bdelsaz bdelsaz commented Oct 5, 2019

So, I think I can boil down my problem to this.
az acr login (which is just a wrapper of docker login) can successfully log in if I use the 'admin account' username and password.

However, if I try to log in with my AD username (my email), both az acr and docker client will refuse to log me in.

az acr login -n ACR_NAME -u MY_EMAIL@EMAIL.com
Password:
Error response from daemon: Get https://ACR_NAME.azurecr.io/v2/: unauthorized: authentication required

So when I do docker push and try to use my acrImageSign credentials, these are not there. since according to the docs 'You can't grant trusted image push permission to the admin account of an Azure container registry.
Does this make more sense? And also, if this is the problem, is this not the whole point of the az acr extension, to manage these credentials for me?

@martinpf

This comment has been minimized.

Copy link
Contributor

@martinpf martinpf commented Oct 8, 2019

Instead of
az acr login -n ACR_NAME -u MY_EMAIL@EMAIL.com
does a sequence of commands like the following work? (log into your Azure AAD account using az login)
az login
az acr login -n
docker push yourRegistry.azurecr.io/yourRepo:yourTag

@shizhMSFT

This comment has been minimized.

Copy link
Member

@shizhMSFT shizhMSFT commented Oct 9, 2019

Could you try to create a service principle and assgin AcrPush and AcrImageSigner roles to that service principle? Then login using the service principle?

@bdelsaz

This comment has been minimized.

Copy link
Author

@bdelsaz bdelsaz commented Oct 9, 2019

@martinpf it works, for unsigned images only. If I do set DOCKER_CONTENT_TRUST=1 before pushing it will not sign the image.

Will try creating a service principal as @shizhMSFT suggests and will post here the results

@bdelsaz

This comment has been minimized.

Copy link
Author

@bdelsaz bdelsaz commented Oct 9, 2019

@shizhMSFT this works if I sign in as a user principal, thank you.

Setting credentials and loggin in as a user principal, both from CLI and Azure portal, does not work then (unless I'm missing something).

@martinpf

This comment has been minimized.

Copy link
Contributor

@martinpf martinpf commented Oct 9, 2019

to sign in as an AAD user you must use az login and then az acr login. az acr login will apply the token that az login obtains to docker. az acr login doesn't support the AAD login protocal (2 factor auth, etc...) for AAD user accounts

@bdelsaz

This comment has been minimized.

Copy link
Author

@bdelsaz bdelsaz commented Oct 9, 2019

to sign in as an AAD user you must use az login and then az acr login. az acr login will apply the token that az login obtains to docker. az acr login doesn't support the AAD login protocal (2 factor auth, etc...) for AAD user accounts

Yes, I do this (see my second post). I am unable to login with my AAD credentials even after I login with az login to be sure.

az login response:

....
"user": {
   "name": "<MY_EMAIL>",
   "type": "user"
}.
..

Then az acr login (Password shows empty, but I type it)

az acr login --resource-group <RG_NAME> --name <ACR_NAME> --username <MY_EMAIL>
Argument 'resource_group_name' has been deprecated and will be removed in a future release.
Password:
Error response from daemon: Get https://<ACR_NAME>.azurecr.io/v2/: unauthorized: authentication required
@bdelsaz

This comment has been minimized.

Copy link
Author

@bdelsaz bdelsaz commented Oct 9, 2019

I think this might be an azure cli problem.
I've seen this issue, this issue and this issue, regarding login failing on non-standard consoles and passing password input to docker client. None of the workarounds stated in these issues worked for me and I'm using latest version of azure CLI.

I think I will close this issue for now and open one/keep reserching on the azure-cli repo. Thanks @martinpf and @shizhMSFT !

Link to new issue here.

@bdelsaz bdelsaz closed this Oct 9, 2019
@bdelsaz bdelsaz changed the title 401 unauthorized when trying to push signed container to ACR [CLOSED]401 unauthorized when trying to push signed container to ACR Oct 9, 2019
@shizhMSFT

This comment has been minimized.

Copy link
Member

@shizhMSFT shizhMSFT commented Oct 10, 2019

The root cause is that the permission list is not recognizable by ACR if the current login user has a classic subscription administrator role, such as Service Administrator and Co-Administrator.

We are sorry that those classic admins roles are currently not supported by ACR, and we plan to resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.