Reputation: 1375
how to use access token generated from rest api for ACR login?
I am generating Access Token using https://learn.microsoft.com/en-us/rest/api/containerregistry/access-tokens/get-from-login?tabs=HTTP rest endpoint. Getting access token but how to use it for docker login?
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions in this doc, they are using UI and cli for this. and they have username also. but while doing from rest api, didn't have any username.
Using rest api (changed values)
GET /oauth2/token?service=demoregistry.azurecr.io&scope=registry:catalog:* HTTP/1.1
Host: demoregistry.azurecr.io
Authorization: Basic ZGVtb3JlZ2lzdHJ5OmNDZWJ3UU9jN1BzM1poQndGMzg2LzBPdndCZU1vTQ==
Tried
- Registry username and access token as the password. (Error
unauthorized: incorrect username or password) rid/jtias username and access token as the password (Errorunauthorized: Application not registered with AAD)
Token (changed values)
Header
{
"alg": "RS256",
"typ": "JWT",
"kid": "QWFG:M237:K2HA:33DK:5PGT:CA3M:DBN3:XOQB:A5QB:I63Q:AT3Q:NQAK"
}
Payload
{
"jti": "69853560-dc76-4458-8bac-137f33121e39",
"sub": "demoregistry",
"nbf": 1669691010,
"exp": 1669695510,
"iat": 1669691010,
"iss": "Azure Container Registry",
"aud": "demoregistry.azurecr.io",
"version": "1.0",
"rid": "f013d21b1c1349ecb85457182a1b1466",
"access": [
{
"Type": "registry",
"Name": "catalog",
"Actions": [
"*"
]
}
],
"roles": [
"Owner"
],
"grant_type": "access_token"
}
Upvotes: 0
Views: 1277
Answers (2)
Reputation: 30207
You don't need that username. Use the token for Bearer authentication.
Do basic auth first using token creds, then use the access_token in Authorization: Bearer <access_token header.
$ ACRT=$(curl -s -u '<tokenusername>:<token>' 'https://somerepo.azurecr.io/oauth2/token?service=somerepo.azurecr.io&scope=repository:*:pull' | jq -r '.access_token')
$ curl -vL -H "Authorization: Bearer ${ACRT}" https://somerepo.azurecr.io/v2/reponame/blobs/sha256:somesha
Upvotes: 0
Reputation: 1375
I found an answer while generating a token from Az cli, it gives 00000000-0000-0000-0000-000000000000 as a username. and this username works with tokens generated from the rest API.
Upvotes: 0
Related Questions
- How to authenticate with Azure ACR from Azure container app service
- Push Docker Image task to ACR fails in Azure "unauthorized: authentication required"
- How can I docker commit azure container instance to azure container registry
- ACI connection to private ACR
- Azure Container Registry - 401 Unauthorized error
- Can docker on Azure Linux App Service authenticate with the ACR without us specifying the password in the app settings?
- Access azure container registry (ACR) by role assignment for azure app service in Terraform
- Using Docker Client with Azure Container Registry
- Docker login to Azure Container Registry by Service Principle
- How to get valid access token to call Azure REST API from Postman