'az acr login' requires Docker to be installed

[bergmeister]

Is your feature request related to a problem? Please describe.
For offloading the Docker build to the cloud, we want to use az acr build but in order to authenticate, we wanted to use the registry credentials that are used in az acr login but it seems this command requires Docker to be installed, which we do not want. Now we need to create an Endpoint in Azure DevOps to authenticate to Azure. To me the whole point of the registry credentials was that one could interact with it without the complexity of Azure authentication. Installing Docker on a build machine is not something nice, as the Docker installation makes quite a lot of changes to the system and for the purpose of building Docker images in the cloud, I do not want to have to install Docker on our on-premise build agents.

Describe the solution you'd like
Docker should not be required for authentication purposes of being able to do az acr build

Describe alternatives you've considered
We will have to install an endpoint in Azure DevOps to authenticate the CLI to our registry in Azure.

Additional context
Add any other context or screenshots about the feature request here.

[avs099]

we had the same issue but turns out acr login command was not necessary. I guess, after you do az login --service-principal -u **** -p **** -t **** , your current environment gets enough "permissions" to execute ACR commands - given that Service Principal you use has proper access to ACR. In our case I had to add Reader permission to resource group, and acrPush to the ACR itself.

[sajayantony]

@bergmeister - ACR build doesn't require docker login.
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-overview#quick-task

You only need to run az login or ensure you can access your resources. For e.g. az acr list

[sajayantony]

@bergmeister are you unblocked and can we close this issue?

[bergmeister]

Cannot comment on it since I wrote down already the PoC report for the project that this was targeted.
To me it rather sounds like documenting the required rights so that only az login is required would be an actionable outcome as this does not seem to be obvious

[sajayantony]

/cc @dlepow

[cwebbtw]

We've had similar pains in actually getting docker login tokens. On AWS, the ECR login provides a token, whereas on ACR, it attempts to login for you automatically, which isn't helpful if you don't have docker installed.

A nasty workaround is to get a refresh token ourselves (some elements of jenkins scripted pipeline included)

def registry = "foobarbaz.azurecr.io"
def tenant = sh(returnStdout: true, script: "az account show --query tenantId --output tsv").trim()
def accessToken = sh(returnStdout: true, script: "#!/bin/sh -e\ncurl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' | jq -r .access_token").trim()
def acrLoginToken = sh(returnStdout: true, script: """#!/bin/sh -e\ncurl -H 'Content-Type: application/x-www-form-urlencoded' -d \
                              'grant_type=access_token&service=$registry&tenant=$tenant&access_token=$accessToken' \
                               https://$registry/oauth2/exchange | jq -r .refresh_token""")

This allows you to do:

docker login $registry -u 00000000-0000-0000-0000-000000000000 -p $acrLoginToken

Would be nice to be able to get this in a simple way (this allows the admin password to remain disabled, which I prefer)

[yugangw-msft]

So to address the ask here, maybe az acr login can expose a flag of --skip-docker-login and do like aws ecr does to output a docker login command for users to copy away.
@cwebbtw, will this help?

[noamichael]

@yugangw-msft Instead of outputting a docker login command, can we have a way to just expose the token? I'd like to use skopeo to manage images in ACR.

[yugangw-msft]

@noamichael, the command outputted will have the token that you can grep with.

@Wwwsylvia, please pick up this issue after done with CLI ones. Let me know if you have any questions
/CC: @shizhMSFT