Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Login with service principal #23

Closed
tofran opened this issue Dec 10, 2020 · 2 comments
Closed

Docker Login with service principal #23

tofran opened this issue Dec 10, 2020 · 2 comments
Assignees
@thesattiraju

Comments

@tofran
Copy link

tofran commented Dec 10, 2020

Hello, I'h having a hard time authenticating with docker with a service principal on GitHub actions.
Unfortunately I could not find any documentation regarding this practice on GitHub actions.

What I want to achieve

On a test machine I can do the following:

az login --service-principal -u XXXX -p XXXX--tenant XXXX

az acr login --name REGISTRY

This will setup az and configure .docker/config.json.
This is expected as documented in Authenticate with an Azure container registry

Why?

The current azure/docker-login@v1 only allows authentication with the registry admin user and password. This is no good if you want to properly manage permissions.
Use case: you have multiple systems that need to use the registry. If you use the admin access keys it means that the same key will be in use in multiple places. This is not a good practice. Making for example rotating a key very impractical.

What I have tried?

As expected azure/docker-login@v1 works as expected authenticating az with a service principal:

      - name: Azure authentication
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

After this I tried azure/CLI@v1 in order to do the az acr login as above:

      - name: Azure CLI script
        uses: azure/CLI@v1
        with:
          inlineScript: az acr login --name ${{ secrets.CONTAINER_REGISTRY_URL }}

But unfortunately this will not work because inside the action you do not have docker:

Starting script execution via docker image mcr.microsoft.com/azure-cli:latest
The login server endpoint suffix '.azurecr.io' is automatically omitted.
You may want to use 'az acr login -n XXXX --expose-token' to get an access token, which does not require Docker to be installed.
An error occurred: DOCKER_COMMAND_ERROR
Please verify if Docker client is installed and running.
Error: Error: az cli script failed.
cleaning up container...

Expected behaviour

I should be able to use azure/docker-login@v1 and it would use the current az authenticated service principal.

Thank you in advance
@thesattiraju
Copy link
Contributor

Have you tried this :

- uses: azure/docker-login@v1
  with:
    login-server: contoso.azurecr.io
    username: ${{ secrets.REGISTRY_USERNAME }}
    password: ${{ secrets.REGISTRY_PASSWORD }}

- run: |
    docker build . -t contoso.azurecr.io/k8sdemo:${{ github.sha }}
    docker push contoso.azurecr.io/k8sdemo:${{ github.sha }}

Where you can set the REGISTRY_USERNAME as your service principal id and REGISTRY_PASSWORD as your service principal key.

@thesattiraju thesattiraju self-assigned this Dec 17, 2020
@tofran
Copy link
Author

tofran commented Dec 17, 2020
edited
Loading

@DS-MS
Yes that was exactly what I was looking for, thank you 🙏

Just to leave it here:

  • the username is the SP clientId
  • and the password is the SP clientSecret

And sorry, it looks like it is documented here: Azure Container Registry authentication with service principals

closing

@tofran tofran closed this as completed Dec 17, 2020
@JoeMarkov JoeMarkov mentioned this issue Mar 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thesattiraju thesattiraju

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tofran @thesattiraju