Azure-pipelines-tasks: DockerV2 Docker Registry (ACR) Service Connection Problems
Required Information
Entering this information will route you directly to the right team and expedite traction.
Question, Bug, or Feature?
Type: Question
Enter Task Name: DockerV2
https://github.com/microsoft/azure-pipelines-tasks/tree/master/Tasks/DockerV2
Issue Description
The requirement to now use the Container Registry Service Connection for Azure Container Registry connections from the DockerV2 task requires the user creating the connection to have both permissions to create a Service Principal and assign it permissions to the ACR itself.
This causes problems for us as we don't want to randomly create ad-hoc Service Principals / Application IDs whenever we want to connect a new service connection. Also the automation which creates the connection will more than likely not have the permissions to do both.
We are currently using V1 which allows usage of a pre-existing Service Principal registered with the AzureRM Service Connection, although I've seen you are moving away from this (#10811), I think this is a major mistake as the majority of the time all services deployed from a pipeline on Azure will be reusing the existing Azure RM service connection.
This causes major headaches if we were to need to maintain a different service connection type every time we need to connect to a different resource type in Azure, which is the logical conclusion of the decision you've made.
There is another request related to this over in the Azure DevOps CLI project here: https://github.com/Azure/azure-devops-cli-extension/issues/706
Can you please fix this in one of these ways (preferred order)?
- Update the DockerV2 Task to support either AzureRM or Docker Registry connection types
- Allow the new Docker Registry service connection to reference the existing Azure RM service connection (nested) when using the Azure Container Registry type
- Allow an existing service principal to be registered as the service connection for Docker Registry ACR types (without it having to generate it on the fly)
Thanks for your help with this.
AdamCoulterOz
All 11 comments
@ksix we are working on the feedback to allow re-use of existing service principal under Docker registry service connection
shashankbarsin
on 7 Aug 2019
@ksix we are working on the feedback to allow re-use of existing service principal under Docker registry service connection
Any update on this enhancement to allow reuse of existing SPN for ACR Service Connection?
AdamOrpen
on 12 Nov 2019
Hi Team , is there any update on this ???
Jyoti492
on 12 Nov 2019
For mitigation, you could enter those details in Other authentication type.
Where you set the username as your existing service principal id and password as the service principal key.
ds-ms
on 13 Nov 2019
Hi Deepak,
But in that case I am not making a ACR connection .
On Wed, 13 Nov 2019 at 7:51 AM, Deepak Sattiraju notifications@github.com
wrote:
For mitigation, you could enter those details in Other authentication
type.
Where you set the username as your existing service principal id and
password as the service principal key.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/microsoft/azure-pipelines-tasks/issues/11084?email_source=notifications&email_token=AGNG24HGCJ5WYKBDGNHUOWDQTOPVZA5CNFSM4IJ5O6VKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED5CRUY#issuecomment-553265363,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AGNG24A2AG2Q6TGLW6HPRS3QTOPVZANCNFSM4IJ5O6VA
.
Jyoti492
on 13 Nov 2019
You would if you set the loginServer url to https://your-acr.azurecr.io/
ds-ms
on 13 Nov 2019
no it still doesn't work and gives network connection error
[error]Get *v2/: read tcp 10.232.61.203:43262->52.236.186.80:443: read: connection reset by peer
[error]The process '/bin/docker' failed with exit code 1
Jyoti492
on 13 Nov 2019
@ds-ms your solution works with public agents but we have above issue with private agent
Jyoti492
on 13 Nov 2019
@shashankbarsin @azooinmyluggage is there any update on this?
andyadamides
on 4 Feb 2020
Allowing the re-use of existing ARM service connections would greatly simplify managing service connections. Can that be an alternate option? Even if it means manually entering the ACR name? If that is not an option, we'll likely be forced to manually do the things this task is doing because that would be less to manage than having to create multiple new service connections for each project, especially considering an existing one already has access.
yanjar
on 9 Jul 2020
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days
![github-actions[bot] picture](https://avatars.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 5 Jan 2021
Related issues
richard-ob
·
3Comments
NatMarchand
·
3Comments
fedemkr
·
3Comments
jared-hexagon
·
3Comments
MikahB
·
3Comments
Most helpful comment
Allowing the re-use of existing ARM service connections would greatly simplify managing service connections. Can that be an alternate option? Even if it means manually entering the ACR name? If that is not an option, we'll likely be forced to manually do the things this task is doing because that would be less to manage than having to create multiple new service connections for each project, especially considering an existing one already has access.