-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Issue] Container Registry auth error while deploying apps through azd up
#2980
Comments
Hi @justinyoo, based on the error message: azd first tried to use your logged-in user's AD token to login to the registry. That failed due to
|
@weikanglim Thanks for the workaround! I'll take another try. I was suspecting that as well, but didn't try because azd would take care of them as well. The second option doesn't seem to be applicable for my case because I'm the owner of the subscription. Therefore, any resource group belongs to my account. |
Reading at https://azure.github.io/acr/AAD-OAuth.html#listing-a-repository-with-azure-cli, it looks like |
@vhvb1989 It looks like they may have deprecated parts of the flow we were using. I haven't seen this issue in any of our tests but we should migrate to the new supported path. Current Implementation |
@justinyoo can you tell us more about the infrastructure setup? The user/service principal that is logged into Also, the logged in user would need to have You can take a look at our reference sample in the Azure-Samples/todo-nodejs-mongo-aca Sample for a complete sample. We do recommend the RBAC assignments over the Even though the login flow |
@wbreza Thanks for the clarification. I'm the owner of the subscription and I've got the "Service Administrator" role of the subscription. I thought it would be enough for ACR. |
@wbreza Here's my update:
And the error has gone away. I suspect that the classic |
@justinyoo , have you tried with |
@vhvb1989 Yep, I've assigned myself as |
azd depends on the logged in users RBAC. We do not assign/elevate privileges for the user. The user should make sure to have the right permissions and retry. @weikanglim looks like there are some deprecated API usage. Can we get those fixed? |
@rajeshkamal5050 I've looked at this once before earlier, and looked at it again, and I don't see anything problematic with the token exchange. We should be good here. From the ACR token exchange docs to receive an ACR refresh token:
We're using AAD access tokens: azure-dev/cli/azd/pkg/tools/azcli/container_registry.go Lines 232 to 237 in 70655e6
I think we can make a follow-up error message improvement to make it clearer what the expectations are. |
I'm seeing this also and I had to az acr update -n MYACRTHING --admin-enabled true This is super confusing. Why does azd not know how to fix this? I have all the permissions I need |
Our intention is to use Azure RBAC to secure access to the container registry, and the exchange our AAD token for a time limited access token that we use to log into the registry. That has worked for some users, but others have run into issues like what we see in Azure#2980 While we're still trying to root cause the actual issue, we have discovered that if the admin account is enabled, the end to end seems to work. This change enables the admin account to allow `azd` to fall back to that when the token exchange doesn't work. Contributes To: Azure#2980
We've continued to look into this. It seems that a subset of accounts have this issue where we can't do the AAD token exchange as outlined on learn.microsoft.com. This fails with a 401 Unauthorized. The issue is not specific to It prints a subtly different error:
But @weikanglim believes this is a red herring and is the For now, #3069 enables the admin account which allows For folks hitting this, you can either pick up a build from the linked PR, wait until our next daily build comes out (12/6) and use that or use properties: {
adminUserEnabled: true
} To the
This matches what |
Our intention is to use Azure RBAC to secure access to the container registry, and the exchange our AAD token for a time limited access token that we use to log into the registry. That has worked for some users, but others have run into issues like what we see in #2980 While we're still trying to root cause the actual issue, we have discovered that if the admin account is enabled, the end to end seems to work. This change enables the admin account to allow `azd` to fall back to that when the token exchange doesn't work. Contributes To: #2980
We're finding with Azure/acr#723 that RBAC is failing for users that are currently Classic subscription administrators that do not have the RBAC role for ACR pre-configured. The current known workaround is to assign yourself as a Acr*/Contributor/Owner either at the subscription or at the registry level. Example of making the current Classic service administrator an Owner of the subscription:
Example az cli command (please verify before running):
|
Output from
azd version
Describe the bug
While provisioning and deploying Aspire-enabled app, I encountered the permission issue like this screenshot:
The error says that I need to enable the "Admin User" permission. Once I enable the "Admin User" permission through Azure Portal, the error goes away.
To Reproduce
azd init
azd up
Expected behavior
Both Web app and API app, as well as Redis Cache are properly deployed to Azure Container Apps, without having to manually enable the "Admin User" permission on ACR.
Environment
Information on your environment:
* Language name and version: C# (.NET 8)
* IDE and version : Visual Studio 2022 Preview, v17.9
Additional context
If I run
azd infra synth
, it generates the bicep template. Here's the Container Registry part:However, it doesn't activate the admin user permission. I suspect that it should be:
The text was updated successfully, but these errors were encountered: