Create service endpoint connections to Docker registry & ACR

[benc-uk]

Is your feature request related to a problem? Please describe.
I want to automate the creation of Azure DevOps projects & pipelines completely with no manual steps.
I need to define a service connection to an Azure container registry for use in my pipelines, but can not as CLI doesn't support it

Describe the solution you'd like
Add a new 'service-endpoint-type' of docker to the existing az devops service-endpoint create command
This should initially support Docker hub, and Azure Container Registry (ACR)

e.g.

az devops service-endpoint create 
  --service-endpoint-type docker \
  --name myAcrConnection
  --docker-registry-type azure \
  --docker-acr-registry myregistry.azurecr.io
  --azure-rm-subscription-id blah-blah \
  --azure-rm-service-principal-id blah-blah \
  --azure-rm-tenant-id blah-blah

I would like to provide my own service principal details much like the --service-endpoint-type azurerm type accepts. Please use the same command line parameters for these details, also when accepting the service principal secret/key from the environment variable, please use the same name i.e. AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY

For Dockerhub

az devops service-endpoint create 
  --service-endpoint-type docker \
  --name myDockerhubConnection
  --docker-registry-type dockerhub \
  --docker-hub-user foobar

Add accept the password from AZURE_DEVOPS_EXT_DOCKERHUB_PASSWORD environment variable

Additional context
None

[gauravsaralMs]

@benc-uk : In the latest release it will be possible to create ACR service endpoints
Can you please give it a try:
https://docs.microsoft.com/en-us/azure/devops/cli/service_endpoint?view=azure-devops#create-service-endpoint-using-configuration-file

[gauravsaralMs]

@benc-uk : gentle ping..

[benc-uk]

Hi @gauravsaralMs
I just tried it out and it seems to work well.

I'm not sure the part about need to sniff the network traffic to get the JSON! Maybe you could provide some JSON examples for most common service connection types ?

[gauravsaralMs]

Thanks for confirming, yes we may invest in adding more examples going forward

[DexterPOSH]

@benc-uk Were you able to create a service endpoint for ACR with a custom service principal this way?
If yes, could you please share the configuration file used with the CLI.

[atbagga]

@DexterPOSH As documented here - https://docs.microsoft.com/en-us/azure/devops/cli/service_endpoint?view=azure-devops#create-service-endpoint-using-configuration-file
you can capture the json post request in the _apis/serviceendpoint/endpoints call and send the same..

it looks like this for ACR -

{
    "authorization": {
        "scheme": "ServicePrincipal",
        "parameters": {
            "loginServer": "<ACR_NAME>.azurecr.io",
            "role": "ROLE_ID",
            "scope": "<ACR_ID - You can get this from az acr show -o json command>",
            "servicePrincipalId": "<placeholder>", ## Remove this comment and it is NOT NEEDED to fill this placeholder, keep this line as is.
            "tenantId": "<You can get this from az account show command>"
        }
    },
    "data": {
        "appObjectId": "",
        "azureSpnPermissions": "",
        "azureSpnRoleAssignmentId": "",
        "registryId": "<ACR ID - You can get this from az acr show -o json command>",
        "registrytype": "ACR",
        "spnObjectId": "",
        "subscriptionId": "SUBSCRIPTION ID - You can get this from az account show command",
        "subscriptionName": "SUBSCRIPTION NAME"
    },
    "description": "",
    "groupScopeId": null,
    "name": "<NAME OF THE NEW ACR SERVICE CONNECTION YOU ARE TRYING TO CREATE>",
    "operationStatus": null,
    "readersGroup": null,
    "serviceEndpointProjectReferences": null,
    "type": "dockerregistry",
    "url": "https://<ACR_NAME>.azurecr.io",
    "isShared": false,
    "owner": "library"
}

[bbandroid19]

@atbagga Can you please mention how we can retrieve ROLE_ID using cli?

[xsurfer]

Hi,
is there any update on this issue? Unfortunately I am not able to create a service connection using CLI and a Service Principal. Any help?

I am using the following command:
az devops service-endpoint create --service-endpoint-configuration .\service-endpoint-Fabio.json --org https://dev.azure.com/my-org -p "my project" --verbose

I use the following JSON as input file:
{ "administratorsGroup": null, "authorization": { "scheme": "ServicePrincipal", "parameters": { "loginServer": "imdcontainerregdev.azurecr.io", "scope": "/subscriptions/c7f5c8f1-daef-4ccd-9064-3c513c1842dd/resourceGroups/AZ-RG-iMD-Dev-01/providers/Microsoft.ContainerRegistry/registries/imdContainerRegDev", "servicePrincipalId": "8fd3eb13-06df-4275-bb40-cdb214e15331", "tenantId": "3596192b-fdf5-4e2c-a6fa-acb706c963d8" } }, "createdBy": null, "data": { "appObjectId": "", "azureSpnPermissions": "", "azureSpnRoleAssignmentId": "", "registryId": "/subscriptions/c7f5c8f1-daef-4ccd-9064-3c513c1842dd/resourceGroups/AZ-RG-iMD-Dev-01/providers/Microsoft.ContainerRegistry/registries/imdContainerRegDev", "registrytype": "ACR", "spnObjectId": "", "subscriptionId": "c7f5c8f1-daef-4ccd-9064-3c513c1842dd", "subscriptionName": "<my sub name>" }, "description": "", "groupScopeId": null, "name": "testName3", "operationStatus": null, "readersGroup": null, "serviceEndpointProjectReferences": [ { "description": "", "name": "testName3", "projectReference": { "id": "9db72eba-13e1-4dc5-a246-b463b54f71d8", "name": "<my project name>" } } ], "type": "dockerregistry", "url": "https://imdcontainerregdev.azurecr.io", "isShared": false, "owner": "library" }

The creation of the service connection fails as stated in the message below:

"operationStatus": { "state": "Failed", "statusMessage": " Failed to set Azure permission 'RoleAssignmentId: 92ebd7f8-e642-4280-b258-8617f8302d51' for the service principal 'c8adc685-ba0e-4360-9168-e37055b5c507' on subscription ID 'c7f5c8f1-daef-4ccd-9064-3c513c1842dd': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'myemail@corp.com' with object id 'dac3e21d-7931-4a66-9539-0236e2fe914e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/c7f5c8f1-daef-4ccd-9064-3c513c1842dd/resourceGroups/AZ-RG-iMD-Dev-01/providers/Microsoft.ContainerRegistry/registries/imdContainerRegDev/providers/Microsoft.Authorization/roleAssignments/92ebd7f8-e642-4280-b258-8617f8302d51' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription." },

Thank you!

[arindam0310018]

Hello @benc-uk, @gauravsaralMs, @DexterPOSH, @atbagga, @xsurfer, @bbandroid19, @geverghe, @snankani,
I stumbled into this thread when I was looking for a solution to create DevOps Service Connection of type "Docker Registry Using Basic Authentication".
The MS Documentation https://learn.microsoft.com/en-us/azure/devops/cli/service-endpoint?view=azure-devops is not at all very clear.

Below is my config.JSON file -

---

{
"data": {},
"name": "AM-ACR-Srv-Connection",
"type": "dockerregistry",
"authorization": {
"parameters": {
"username": "ampocapplacr",
"password": "XXXXXXXXXXXXXXXXXXXXXXXXX",
"email": "mail2arindam2003@yahoo.com",
"registry": "https://ampocapplacr.azurecr.io"
},
"scheme": "UsernamePassword"
},
"isShared": false,
"isReady": true,
"serviceEndpointProjectReferences": [
{
"projectReference": {
"id": "36aaac58-e06f-47ed-8b98-003ad670ee3c",
"name": "AMCLOUD"
},
"name": "AM-ACR-Srv-Connection"
}
]
}

---

For More details, please refer below -
Blog:- https://dev.to/arindam0310018/create-docker-regisry-service-connection-using-devops-cli-1an8
Github:- https://github.com/arindam0310018/30-Jan-2023-DevOpsCLI__Create-Docker-Registry-Service-Connection

The Final output Screenshot is mentioned below:-

Hope this helps who ever visits this thread again.

Many Thanks
Regards, Arindam Mitra