question

alex-7202 avatar image
0 Votes"
alex-7202 asked vipullag-MSFT commented

az acr run --cmd "acr purge --help" is blocked by the registry firewall

 $ az acr run --cmd "acr purge --help" /dev/null
 Queued a run with ID: ca4
 Waiting for an agent...
 2021/03/29 20:11:29 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
 2021/03/29 20:11:29 Creating Docker network: acb_default_network, driver: 'bridge'
 2021/03/29 20:11:29 Successfully set up Docker network: acb_default_network
 2021/03/29 20:11:29 Setting up Docker configuration...
 2021/03/29 20:11:30 Successfully set up Docker configuration
 2021/03/29 20:11:30 Logging in to registry: ${REGISTRY_NAME}.azurecr.io
 failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get https://${REGISTRY_NAME}.azurecr.io/v2/: denied: client with IP '20.42.67.3' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
 : exit status 1
 Run ID: ca4 failed after 10s. Error: failed during run, err: exit status 1
 Run failed

"Allow trusted Microsoft services to access this container registry" is checked. I am guessing that whitelisting various azure ips is not the right solution here. So what is?

azure-container-registry
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipullag-MSFT avatar image
0 Votes"
vipullag-MSFT answered vipullag-MSFT commented

@alex-7202

From the issue description, I see the ACR name is not being referenced as a variable rather, the variable name itself is being used. Ideally, the REST API call should not be https://${REGISTRY_NAME}.azurecr.io/v2/ but to a real valid ACR endpoint. I am not sure if you have changed this for privacy reason while posting the question.

Trusted Azure Services for ACR are only ACR Tasks, Azure ML and other ACR's. If that is checked then only these will be allowed access. If the request ID coming from elsewhere then you have to mention the public IP address of the source or CIDR from which it might be generated.

Please check this document, for details on the Trusted Services.

Hope this helps.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure if you have changed this for privacy reason

Yes, the variable is only in the post.

Trusted Azure Services for ACR are only ACR Tasks

This is an acr task, an on demand one, it executes exactly the same way. And I've also tried to create and run it as a named task (`az acr task create --name test1 --cmd "acr purge --help" --context /dev/null`) with the same results. But let's first focus on the on-demand case.

If the request ID coming from elsewhere then you have to mention the public IP address

Whitelisting every possible azure ip that may be running this on-demand task cannot be the solution.


0 Votes 0 ·

I've also tried creating the task with a system identity and giving this identity owner rights to the registry. I am not even sure that's required since the task is accessing the registry to which it belongs, so presumably it already has rights to it (is that correct?). Regardless, that didn't make a difference for the firewall problem.

So is this a bug? Despite "Allow trusted Microsoft services to access this container registry", neither on-demand nor named tasks actually can.

0 Votes 0 ·

@alex-7202
Since you are running the task on the same registry no authorization will be required. So auth mode can be None. However, since no system managed identity has been set and without explicit mentioning of auth mode as None, default is being used to validate the agent node, hence he is getting the error. This is not a bug.
Try to add the flag --auth-mode None for on-demand az acr run

OR

Refer this document if you are creating task for a different registry.

Ref articles:

https://docs.microsoft.com/en-us/azure/container-registry/allow-access-trusted-services#limitations

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-cross-registry-authentication

https://docs.microsoft.com/en-us/cli/azure/acr?view=azure-cli-latest#az_acr_run

Hope this helps.

0 Votes 0 ·