Pull image from private Azure Container Registry using Managed Identity

I’m trying to pull from a private ACR from an Azure VM using Managed Identity. The image is defined in the job definition.

stages: 
    - test-runner

my-job:
    stage: test-runner
    tags:
        - dev-runner
    image: <located in private acr>

script:
   - echo "Hello world"

When the pipeline starts it attempts to pull the image and fails with error “unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information. (manager.go:237:0s)”

From the VM command line If I run az login --identity and az acr log --name <registry> then the .docker/config.json file gets updated with the auth and identity token, and pipeline works until the token expires with error “unauthorized: authentication required (manager.go:237:0s)”

I don’t see how the DOCKER_AUTH_CONFIGS would work with managed identity. Any suggestions?

One option could be to use (unfortunately deprecated) GitHub - Azure/acr-docker-credential-helper: This is a wrapper for Docker Credential helpers created by Azure Container Registry (ACR) team. This tool allows Azure Active Directory (AAD) based login (haven’t used in a while) and set your DOCKER_AUTH_CONFIGS to

{
  "credsStore": "acr-linux"
}

I am not sure if the acr helper still works, tho.

Another option is to run a cron job on the VM that would run the Azure CLI commands periodically to renew the token in Docker config.json.

Last resort could be to have a dedicated Service Principal and don’t use the managed identity.

@balonik - Thanks for the input. I didn’t try the acr-docker-credential-helper because it is deprecated.

I had the same thought about the cron job. I’d prefer to have the runner handle the auth once configured, but running the cron job should be a workable workaround.

I will look into the point about Service Principal as that is something I hadn’t thought of or investigated.

I checked with other team members and they had previously come to the same conclusion. The best solution is the cron job.

Run az login --identity once. Then set cron job to periodically refresh the auth token 0 * * * * az acr login --name <private registry>

1 Like

old thread, but just chiming in . I had a similar ask and found using managed identity is the way to go assuming all things Azure .
here is my code may provide some help . my runner is shell with az cli or you could use a custom image if you prefer . just make sure you grant the VM acr pull role . HTH

pull_image:

stage: pull_image

script:

- echo “Log in to Azure using Managed Identity”

- az login --identity --allow-no-subscriptions

- echo “Logging into ACR using managed identity…”

- az acr login --name $ACR_NAME

- echo “Pulling Docker image from ACR”

- docker pull $ACR_IMAGE

- echo “Listing Docker images to verify”

- docker images

tags:

- shell