question

alex-7202 avatar image
0 Votes"
alex-7202 asked PeterRomfeld-4126 published

az acr run --cmd "acr purge --help" is blocked by the registry firewall

 $ az acr run --cmd "acr purge --help" /dev/null
 Queued a run with ID: ca4
 Waiting for an agent...
 2021/03/29 20:11:29 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
 2021/03/29 20:11:29 Creating Docker network: acb_default_network, driver: 'bridge'
 2021/03/29 20:11:29 Successfully set up Docker network: acb_default_network
 2021/03/29 20:11:29 Setting up Docker configuration...
 2021/03/29 20:11:30 Successfully set up Docker configuration
 2021/03/29 20:11:30 Logging in to registry: ${REGISTRY_NAME}.azurecr.io
 failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get https://${REGISTRY_NAME}.azurecr.io/v2/: denied: client with IP '20.42.67.3' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
 : exit status 1
 Run ID: ca4 failed after 10s. Error: failed during run, err: exit status 1
 Run failed

"Allow trusted Microsoft services to access this container registry" is checked. I am guessing that whitelisting various azure ips is not the right solution here. So what is?

azure-container-registry
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipullag-MSFT avatar image
0 Votes"
vipullag-MSFT answered vipullag-MSFT commented

@alex-7202

From the issue description, I see the ACR name is not being referenced as a variable rather, the variable name itself is being used. Ideally, the REST API call should not be https://${REGISTRY_NAME}.azurecr.io/v2/ but to a real valid ACR endpoint. I am not sure if you have changed this for privacy reason while posting the question.

Trusted Azure Services for ACR are only ACR Tasks, Azure ML and other ACR's. If that is checked then only these will be allowed access. If the request ID coming from elsewhere then you have to mention the public IP address of the source or CIDR from which it might be generated.

Please check this document, for details on the Trusted Services.

Hope this helps.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure if you have changed this for privacy reason

Yes, the variable is only in the post.

Trusted Azure Services for ACR are only ACR Tasks

This is an acr task, an on demand one, it executes exactly the same way. And I've also tried to create and run it as a named task (`az acr task create --name test1 --cmd "acr purge --help" --context /dev/null`) with the same results. But let's first focus on the on-demand case.

If the request ID coming from elsewhere then you have to mention the public IP address

Whitelisting every possible azure ip that may be running this on-demand task cannot be the solution.


0 Votes 0 ·

I've also tried creating the task with a system identity and giving this identity owner rights to the registry. I am not even sure that's required since the task is accessing the registry to which it belongs, so presumably it already has rights to it (is that correct?). Regardless, that didn't make a difference for the firewall problem.

So is this a bug? Despite "Allow trusted Microsoft services to access this container registry", neither on-demand nor named tasks actually can.

0 Votes 0 ·

@alex-7202
Since you are running the task on the same registry no authorization will be required. So auth mode can be None. However, since no system managed identity has been set and without explicit mentioning of auth mode as None, default is being used to validate the agent node, hence he is getting the error. This is not a bug.
Try to add the flag --auth-mode None for on-demand az acr run

OR

Refer this document if you are creating task for a different registry.

Ref articles:

https://docs.microsoft.com/en-us/azure/container-registry/allow-access-trusted-services#limitations

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-cross-registry-authentication

https://docs.microsoft.com/en-us/cli/azure/acr?view=azure-cli-latest#az_acr_run

Hope this helps.

0 Votes 0 ·
PeterRomfeld-4126 avatar image
0 Votes"
PeterRomfeld-4126 answered PeterRomfeld-4126 published

i am having similar issue.

we also have a registry with ip whitelist and i am unable to run the acr run command

i tried with --auth-mode None and also made sure that trusted services are allowed, but to no avail (also client IP keeps changing) :(

> az acr run --registry my-registry --cmd "acr purge --dry-run --untagged --ago 7d --keep 3 --filter \"my-image:.*\"" /dev/null
Queued a run with ID: cb11
Waiting for an agent...
2022/02/01 12:28:40 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2022/02/01 12:28:40 Creating Docker network: acb_default_network, driver: 'bridge'
2022/02/01 12:28:40 Successfully set up Docker network: acb_default_network
2022/02/01 12:28:40 Setting up Docker configuration...
2022/02/01 12:28:40 Successfully set up Docker configuration
2022/02/01 12:28:40 Logging in to registry: my-registry.azurecr.io
failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get "https://my-registry.azurecr.io/v2/": denied: client with IP '52.178.20.38' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
: exit status 1

> az acr run --auth-mode None --registry my-registry --cmd "acr purge --dry-run --untagged --ago 7d --keep 3 --filter \"my-image:.*\"" /dev/null
Queued a run with ID: cb12
Waiting for an agent...
2022/02/01 12:29:03 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2022/02/01 12:29:03 Creating Docker network: acb_default_network, driver: 'bridge'
2022/02/01 12:29:03 Successfully set up Docker network: acb_default_network
2022/02/01 12:29:03 Setting up Docker configuration...
2022/02/01 12:29:04 Successfully set up Docker configuration
2022/02/01 12:29:04 Executing step ID: acb_step_0. Timeout(sec): 600, Working directory: '', Network: 'acb_default_network'
2022/02/01 12:29:04 Launching container with name: acb_step_0
Error: unable to resolve authentication, missing identity token or password


my azure-cli:
```

az --version

azure-cli 2.32.0

core 2.32.0
telemetry 1.0.6

Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0

Python location '/nix/store/i6vabb4div9iy6lsl642d86k1q8riasn-python3-3.9.9/bin/python3.9'
Extensions directory '/home/peter/.azure/cliextensions'

Python (Linux) 3.9.9 (main, Nov 15 2021, 18:05:17)
[GCC 10.3.0]
```
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.