ACR Auto-login not working in some scenario

[gtardif]

ACR Auto-login has been implemented following this doc that describes how to exchange the Azure mgmt token into a token that ACR accepts: https://github.com/Azure/acr/blob/master/docs/AAD-OAuth.md#getting-credentials-programatically.

Some users at Microsoft are seeing errors while trying to deploy ACR images:
@BigMorty:

Not working for me, here is what I did and the error I received...

C:\Users\mikemort\source\repos\OrderProc>docker logout mikemortacr.azurecr.io
Removing login credentials for mikemortacr.azurecr.io

C:\Users\mikemort\source\repos\OrderProc>docker logout azure
Removing login credentials for Azure

C:\Users\mikemort\source\repos\OrderProc>docker login azure
login succeeded

C:\Users\mikemort\source\repos\OrderProc>docker context use MyACI
MyACI

C:\Users\mikemort\source\repos\OrderProc>docker run -d mikemortacr.azurecr.io/myexpressapp:2.2
Could not automatically login to mikemortacr.azurecr.io from your Azure login. Assuming you already logged in to the ACR > registry
[+] Running 0/1

Group goofy-rhodes Waiting 3.0s
containerinstance.ContainerGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InaccessibleImage" Message="The image 'mikemortacr.azurecr.io/myexpressapp:2.2' in container group 'goofy-rhodes' is not accessible. Please check the image and registry credential."
C:\Users\mikemort\source\repos\OrderProc>

@gtardif :

To help debugging this, could you try to manually run the call to obtain the ACR token (as described here), I assume in your context it will fail, the error message might help.

registry="contosoregistry.azurecr.io"
tenant="409520d4-8100-4d1d-ad47-72432ddcc120"
aad_access_token="eyJ...H-g"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
    "grant_type=access_token&service=$registry&tenant=$tenant&access_token=$aad_access_token" \
    https://$registry/oauth2/exchange

You can get the values for tenant & access token from ~/.azure/dockerAccessToken.json

@BigMorty:

Here is the error I received - {"errors":[{"code":"UNAUTHORIZED","message":"retrieving permissions failed"}]}

[gtardif]

This is happening on windows, using Docker Desktop with WSL2 integration. So far we have not been able to reproduce the issue.

[karolz-ms]

@gtardif On Windows I was also able to use the access token from dockerAccessToken.json to exchange the token into ACR token using curl, as described above. So the CLI has correct data to do the same.

Is there a way to get detailed trace from the CLI, to see exactly what it is doing while attempting to exchange the Azure access token for the ACR access token?

[gtardif]

@karolz-ms you can unzip the docker cli attached here and invoke it directly instead of the one installed by Desktop.
I added traces to see exactly what it executes, and display the error in addition to the warning message Could not automatically login to xxx from your Azure login.
Basically he cli does 2 things :

• POST the same thing you tried with curl
• use the result and call docker login myregistry
  If any error happens, display the warning and continue, to let users maually login to ACR if their azure login does not allow access to the specified registry.

docker.zip

[karolz-ms]

What I found (the following sequence assumes ACI Docker context is in use):

1. docker logout azure + docker logout myregistry
2. docker login azure
3. docker run myregistry/myrepo using Docker CLI that shipped with Docker Edge/Win 2.3.5.1 --> error
4. docker run myregistry/myrepo using attached Docker CLI from the above --> works without any warnings
5. docker run myregistry/myrepo using Docker CLI that shipped with Docker Edge/Win 2.3.5.1 --> now works but with Could not automatically login to xxx from your Azure login warning

So let's just ship the implementation that you attached @gtardif and we can call it done ☺️ Curious what is the difference between that and Edge 2.3.5.1?

[gtardif]

I suppose step 5 just works because it's using the login that was perfomed in step 4.
I don't see exactly what can make the diff, it may not be due to a code difference but using the binary from Desktop PATH instead of another one you installed manually. (but I can't reproduce the issue with the cli installed with Desktop either, and I don't see why this would make a difference ; no special permission or things like that).
Or it's another diff we introduced since Edge 2.3.5.1 that fixed it, but looking at changes I don't see any obvious candidate.

Anyway, I'll display the error message in addition to the current warning, so we can understand better what's going on in case of failure.

[gtardif]

@karolz-ms You can try this Desktop build : https://desktop-stage.docker.com/win/edge/47514/Docker%20Desktop%20Installer.exe, that should be close to our release next week

[karolz-ms]

@gtardif this build (2.3.6.0) is working for me! ☺️

[BigMorty]

Worked great for me also, thanks!!!

[gtardif]

Glad to see this ! Thx for the feedback

[gtardif]

This has been released now !

[BigMorty]

Awesome, thanks so much!