Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Create service endpoint connections to Docker registry & ACR

See original GitHub issue

Is your feature request related to a problem? Please describe. I want to automate the creation of Azure DevOps projects & pipelines completely with no manual steps.
I need to define a service connection to an Azure container registry for use in my pipelines, but can not as CLI doesn’t support it

Describe the solution you’d like Add a new ‘service-endpoint-type’ of docker to the existing az devops service-endpoint create command This should initially support Docker hub, and Azure Container Registry (ACR)

e.g.

az devops service-endpoint create 
  --service-endpoint-type docker \
  --name myAcrConnection
  --docker-registry-type azure \
  --docker-acr-registry myregistry.azurecr.io
  --azure-rm-subscription-id blah-blah \
  --azure-rm-service-principal-id blah-blah \
  --azure-rm-tenant-id blah-blah

I would like to provide my own service principal details much like the --service-endpoint-type azurerm type accepts. Please use the same command line parameters for these details, also when accepting the service principal secret/key from the environment variable, please use the same name i.e. AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY

For Dockerhub

az devops service-endpoint create 
  --service-endpoint-type docker \
  --name myDockerhubConnection
  --docker-registry-type dockerhub \
  --docker-hub-user foobar

Add accept the password from AZURE_DEVOPS_EXT_DOCKERHUB_PASSWORD environment variable

Additional context None

Issue Analytics

State:
Created 4 years ago
Reactions:5
Comments:8 (3 by maintainers)

Top GitHub Comments

1reaction

atbaggacommented, Oct 7, 2019

@DexterPOSH As documented here - https://docs.microsoft.com/en-us/azure/devops/cli/service_endpoint?view=azure-devops#create-service-endpoint-using-configuration-file you can capture the json post request in the _apis/serviceendpoint/endpoints call and send the same…

it looks like this for ACR -

{
    "authorization": {
        "scheme": "ServicePrincipal",
        "parameters": {
            "loginServer": "<ACR_NAME>.azurecr.io",
            "role": "ROLE_ID",
            "scope": "<ACR_ID - You can get this from az acr show -o json command>",
            "servicePrincipalId": "<placeholder>", ## Remove this comment and it is NOT NEEDED to fill this placeholder, keep this line as is.
            "tenantId": "<You can get this from az account show command>"
        }
    },
    "data": {
        "appObjectId": "",
        "azureSpnPermissions": "",
        "azureSpnRoleAssignmentId": "",
        "registryId": "<ACR ID - You can get this from az acr show -o json command>",
        "registrytype": "ACR",
        "spnObjectId": "",
        "subscriptionId": "SUBSCRIPTION ID - You can get this from az account show command",
        "subscriptionName": "SUBSCRIPTION NAME"
    },
    "description": "",
    "groupScopeId": null,
    "name": "<NAME OF THE NEW ACR SERVICE CONNECTION YOU ARE TRYING TO CREATE>",
    "operationStatus": null,
    "readersGroup": null,
    "serviceEndpointProjectReferences": null,
    "type": "dockerregistry",
    "url": "https://<ACR_NAME>.azurecr.io",
    "isShared": false,
    "owner": "library"
}

0reactions

xsurfercommented, Nov 6, 2020

Hi, is there any update on this issue? Unfortunately I am not able to create a service connection using CLI and a Service Principal. Any help?

I am using the following command: az devops service-endpoint create --service-endpoint-configuration .\service-endpoint-Fabio.json --org https://dev.azure.com/my-org -p "my project" --verbose

I use the following JSON as input file: { "administratorsGroup": null, "authorization": { "scheme": "ServicePrincipal", "parameters": { "loginServer": "imdcontainerregdev.azurecr.io", "scope": "/subscriptions/c7f5c8f1-daef-4ccd-9064-3c513c1842dd/resourceGroups/AZ-RG-iMD-Dev-01/providers/Microsoft.ContainerRegistry/registries/imdContainerRegDev", "servicePrincipalId": "8fd3eb13-06df-4275-bb40-cdb214e15331", "tenantId": "3596192b-fdf5-4e2c-a6fa-acb706c963d8" } }, "createdBy": null, "data": { "appObjectId": "", "azureSpnPermissions": "", "azureSpnRoleAssignmentId": "", "registryId": "/subscriptions/c7f5c8f1-daef-4ccd-9064-3c513c1842dd/resourceGroups/AZ-RG-iMD-Dev-01/providers/Microsoft.ContainerRegistry/registries/imdContainerRegDev", "registrytype": "ACR", "spnObjectId": "", "subscriptionId": "c7f5c8f1-daef-4ccd-9064-3c513c1842dd", "subscriptionName": "<my sub name>" }, "description": "", "groupScopeId": null, "name": "testName3", "operationStatus": null, "readersGroup": null, "serviceEndpointProjectReferences": [ { "description": "", "name": "testName3", "projectReference": { "id": "9db72eba-13e1-4dc5-a246-b463b54f71d8", "name": "<my project name>" } } ], "type": "dockerregistry", "url": "https://imdcontainerregdev.azurecr.io", "isShared": false, "owner": "library" }

The creation of the service connection fails as stated in the message below:

"operationStatus": { "state": "Failed", "statusMessage": " Failed to set Azure permission 'RoleAssignmentId: 92ebd7f8-e642-4280-b258-8617f8302d51' for the service principal 'c8adc685-ba0e-4360-9168-e37055b5c507' on subscription ID 'c7f5c8f1-daef-4ccd-9064-3c513c1842dd': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'myemail@corp.com' with object id 'dac3e21d-7931-4a66-9539-0236e2fe914e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/c7f5c8f1-daef-4ccd-9064-3c513c1842dd/resourceGroups/AZ-RG-iMD-Dev-01/providers/Microsoft.ContainerRegistry/registries/imdContainerRegDev/providers/Microsoft.Authorization/roleAssignments/92ebd7f8-e642-4280-b258-8617f8302d51' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription." },

Thank you!

Top Results From Across the Web

Set up private endpoint with private link - Azure Container ...

Set up a private endpoint on a container registry and enable access over a private link in a local virtual network. Private link...

Creating an Azure Container Registry Service Connection in ...

A while ago, I blogged about creating an Azure Container Registry Service Connection in Azure DevOps, using the UI.

Bring your own Service Principal for an Azure Container ...

How to use your own Service Principal for a Service Connection (in Azure DevOps) to an Azure Container Registry.

Deploying a multi-container application to Azure Kubernetes ...

Create an Azure Container Registry (ACR), AKS and Azure SQL server ... This creates an Azure Resource Manager Service Endpoint, which defines and...

Deploying Linux custom container from private Azure ...

html az acr build --registry secureacr2021 --platform Linux --image privatewebsite:lnx-v2 . Next, let's create the private endpoints to connect ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Create service endpoint connections to Docker registry & ACR

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Pipelines commands to include path/folder parameter for moving/accessing non root folder pipelines

[Feature Request] 'Variables' and 'Variable groups' parameter for az pipelines create|update