Failed to pull base image from another private ACR in ACR tasks #859
Description
Describe the bug
Only can pull base image from another private ACR once in ACR task.
I have checked the #774 and trying to follow the same procedure. I remember only the system-managed identity can access private ACR.
I compared the script I wrote but not seeing difference with the solution in issue 774.
To Reproduce
Steps to reproduce the behaviour:
(All under Cloud Shell)
Preparing resources:
ranNum=$(echo $RANDOM)
rG=acr${ranNum}
acr1=acr${ranNum}build
acr2=acr${ranNum}base
location=southeastasia
az group create -n ${rG} -l ${location} -o none
az acr create -n ${acr1} -g ${rG} --sku Basic -o none
az acr create -n ${acr2} -g ${rG} --sku Premium -o none
baseCrResId=$(az acr show -n ${acr2} --query "id" -o tsv)
az acr import --name ${acr2} \
--source public.ecr.aws/nginx/nginx:alpine \
--image webserver/nginx:alpine -o none
Set the ACR where base image is to private:
az acr update -n ${acr2} -g ${rG} -o none \
--public-network-enabled false \
--allow-trusted-services true
Preparing task: (using system-assigned task managed identity)
tempDir1=$(mktemp -d)
cat <<EOF > ${tempDir1}/task.yaml
version: v1.1.0
steps:
- build: -t \$Registry/nginx:\$ID -f Dockerfile . --build-arg BASE_REGISTRY=${acr2}.azurecr.io
- push: ["\$Registry/nginx:\$ID"]
EOF
az acr task create \
--registry ${acr1} -o none \
--name nginx-build \
--base-image-trigger-enable false \
--commit-trigger-enabled false \
--context "/dev/null" \
--file ${tempDir1}/task.yaml
az acr task identity assign \
--registry ${acr1} -o none \
--name nginx-build \
--identities [system]
Granting permission:
taskObjectId=$(az acr task show \
--registry ${acr1} -o tsv\
--name nginx-build \
--query "identity.principalId")
az role assignment create \
--assignee-object-id ${taskObjectId} \
--assignee-principal-type ServicePrincipal \
--scope ${baseCrResId} -o none \
--role "acrpull"
az acr task credential add \
--registry ${acr1} -o none \
--name nginx-build \
--login-server ${acr2}.azurecr.io \
--use-identity [system]
Creating Dockerfile:
tempDir2=$(mktemp -d)
cat <<'EOF' > ${tempDir2}/Dockerfile
ARG BASE_REGISTRY
FROM ${BASE_REGISTRY}/webserver/nginx:alpine
EOF
Now, run:
## The following command will only work once
az acr task run \
--registry ${acr1} -o none \
--name nginx-build \
--context ${tempDir2}
It succeeds on the first try:
And failed after then:
Expected behavior
ACR task should be able to pull image from another private ACR by using system-assigned managed identity.
If any information is a concern to post here, you can create a support ticket or send an email to [email protected].