K
Q

Can't pull image from Azure Container Registry - pull denied

7/3/2018

I log in successfully, but cannot pull:

PS C:\Users\Me> docker login tlk8s.azurecr.io
Username (myUsername): Password:
Login Succeeded
PS C:\Users\Me> docker pull tlk8s.azurecr.io/devicecloudwebapi:v1
Error response from daemon: pull access denied for tlk8s.azurecr.io/devicecloudwebapi, repository does not exist or may require 'docker login'

But it seems like I'm naming it correctly (see screenshot):

enter image description here

What could I be doing wrong? How do I check to see if my service principal has the correct permissions?

Here's the result of calling Get-AzureRmRoleAssignment:

enter image description here

-- Slothario
azure
azure-container-registry
docker
kubernetes

Similar Questions

"permanent" GKE kubectl service account authentication
Kubernetes Ingress/Load-Balancing on AWS
Kubernetes tls certificate issier not issuing
k8s Operator SDK - how to get actual CRD state
ALB ingress mixed private and internet facing paths
How do I "freeze" an nfs mount in kubernetes to snapshot it if fsfreeze sends operation not permitted?

2 Answers

7/9/2018

It looks like I had contributor access, but my container registry was in a different resource group than my service principal. D'oh.

-- Slothario
Source: StackOverflow
7/3/2018

Per documentation below, the Service Principal account must have at least Reader role to be able to pull images from the Azure Container Registry.

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication

You can run the following PS script to list the existing role assignments for your Service Principal account.

https://github.com/evandropaula/Azure/blob/master/ServicePrincipal/PS/List-ServicePrincipalRoleAssignments.ps1

You can run the following PS script to assign a role (e.g. Reader) to your Service Principal account.

https://github.com/evandropaula/Azure/blob/master/ServicePrincipal/PS/Assign-ServicePrincipalRole.ps1

-- Evandro Paula
Source: StackOverflow