I'm trying to create a CI/CD pipeline using Azure DevOps. I use Docker for the image of the app. Short background: so far I've worked on tenant A. I had set up everything there without any issues. Now the client gave me access to their tenant B. When I try to make a service connection with ACR, I get to choose Subscriptions. I can see two of my tenant A's subscriptions and one for clients' tenant B subscription. If I choose tenant B's subscription, I get Loading Registries, and it rolls on forever. If I select tenant A's subscription, no issues, I can select the ACR etc..
I did research on this, cleared caches, tried from incognitos whatsoever, but still no luck. I have an User Access Administrator role, which is, I assume, enough for me to be able to link this thing. Has anyone faced this issue lately, and how did you overcome it?
Bonus info from the console:
{
"$id": "1",
"innerException": null,
"message": "TF400898: An Internal Error Occurred. Activity Id: 34...",
"typeName": "Microsoft.Identity.Client.MsalUiRequiredException, Microsoft.Identity.Client",
"typeKey": "MsalUiRequiredException",
"errorCode": 0,
"eventId": 0
}
I'm trying to create a CI/CD pipeline using Azure DevOps. I use Docker for the image of the app. Short background: so far I've worked on tenant A. I had set up everything there without any issues. Now the client gave me access to their tenant B. When I try to make a service connection with ACR, I get to choose Subscriptions. I can see two of my tenant A's subscriptions and one for clients' tenant B subscription. If I choose tenant B's subscription, I get Loading Registries, and it rolls on forever. If I select tenant A's subscription, no issues, I can select the ACR etc..
I did research on this, cleared caches, tried from incognitos whatsoever, but still no luck. I have an User Access Administrator role, which is, I assume, enough for me to be able to link this thing. Has anyone faced this issue lately, and how did you overcome it?
Bonus info from the console:
{
"$id": "1",
"innerException": null,
"message": "TF400898: An Internal Error Occurred. Activity Id: 34...",
"typeName": "Microsoft.Identity.Client.MsalUiRequiredException, Microsoft.Identity.Client",
"typeKey": "MsalUiRequiredException",
"errorCode": 0,
"eventId": 0
}
1 Answer
Reset to default 0Update
To create an ACR Docker Registry service connection with Service Principal or Workload Federation Identity in Azure DevOps requires the user to have not only the permissions(like Owner or User Access Administrator role) in Azure Subscription, but also the permissions to create a service principal (app registration) in ADD.
The issue was resolved after the client in Tenant B granted the user AAD admin based roles that allowed service principal creation.
It’s possible that conditional access policies are restricting guest users in tenant B. Additionally, based on the current description, there’s also a chance that you lack the necessary permissions to create a new service principal (App Registration) in Microsoft Entra ID for tenant B, which is required for authenticating the Azure Docker Registry service connection.
Since you are already granted with the User Access Administrator role for the subscription in tenant B, you can try the following workaround: set up an Azure Resource Manager (ARM) service connection with a user-assigned managed identity for authentication. Below are the key steps:
Create an MSI in the subscription of tenant B (The User Access Administrator role does not grant permissions to create resources; you may need to assign yourself the Contributor role to proceed.) -> collect its Client ID and the ids of its originating subscription and tenant;
Navigate to your Azure DevOps anization -> Project Settings -> Pipelines -> Service connections -> Create a new ARM service connection ->Select App registration or managed identity (manual) with Workload identity federation -> Provide a service connection name;
Input the Subscription ID, Subscription name, Application (client) ID and Directory (tenant) ID -> Collect the Issuer and Subject identifier values;
Create a federated credential for the MSI with the Issuer and Subject identifier values obtained from the ARM service connection;
Grant the MSI with required role(s) (
AcrPushrole in my sample) to access your ACR resource;Browse back to Azure DevOps -> Verify and save the ARM service connection;
The ARM service connection should be used in the Docker@1, AzureCLI@2 or AzurePowerShell@5 tasks.
variables:
myACR: xxxACRxxx
pool:
vmImage: windows-latest
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'ARMSvcCnnACR'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
az acr login --name $(myACR)
$sourceImage = "$(myACR).azurecr.io/test/repo:local1"
docker pull $sourceImage
$tagetImage = "$(myACR).azurecr.io/test/repo:$(Build.BuildId)"
docker tag $sourceImage $tagetImage
docker images
- task: Docker@1
inputs:
containerregistrytype: 'Azure Container Registry'
azureSubscriptionEndpoint: 'ARMSvcCnnACR'
azureContainerRegistry: '$(myACR).azurecr.io'
command: 'Push an image'
imageName: 'test/repo:$(Build.BuildId)'
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744931168a4601748.html
Docker@1with a manually created ARM service connection? Hope it may help resolve the issue in this post. Look forward to your reply and wish you a lovely weekend. – Alvin Zhao Commented Mar 14 at 9:16Docker@1task referencing an ARM service connection with an underlying MSI could help resolve your query in this post? Thx for the sharing. – Alvin Zhao Commented Mar 18 at 8:02