Push Docker Image task to ACR fails in Azure "unauthorized: authentication required"

Question

Push and image to Azure Container Registry task in Azure DevOps pipeline fails. Previous tasks are executed fine ie. docker image is created and login to ACR is successful. However, push-task fails with the following result:

unauthorized: authentication required
[error]unauthorized: authentication required
[error]/usr/bin/docker failed with return code: 1
[section]Finishing: Push Docker image

docker push to that given acr works fine from local command line.

# Docker image
# Build a Docker image to deploy, run, or push to a container registry.
# Add steps that use Docker Compose, tag images, push to a registry, run an image, and more:
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker

trigger:
- master

pool:
  vmImage: 'Ubuntu-16.04'

variables:
  imageName: 'renamed:$(build.buildId)'
  azureSubscriptionEndpoint: Renamed
  azureContainerRegistry: renamed.azurecr.io
steps: 
- task: Docker@1
  displayName: Build docker image
  inputs:
    command: Build an image
    dockerFile: Dockerfile
    imageName: $(imageName)
    containerregistrytype: Azure Container Registry
    azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
    azureContainerRegistry: $(azureContainerRegistry)
- task: Docker@1
  displayName: Login to container registry
  inputs:
    command: login
    containerregistrytype: Azure Container Registry
    azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
    azureContainerRegistry: $(azureContainerRegistry)
    dockerFile: Dockerfile
    imageName: $(imageName)
- task: Docker@1
  displayName: Push Docker image
  inputs:
    command: Push an image
    containerregistrytype: Azure Container Registry
    azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
    azureContainerRegistry: $(azureContainerRegistry)
    imageName: $(imageName)

score 13 · Answer 1 · answered Jun 10 '19 at 13:30

13

I had the same issue when I used an Azure Container Registry Service Connection in Azure DevOps.

The work around was to not choose ‘Azure Container Registry’ when creating the Docker Registry Service Connection and to instead choose ‘Others’. Then in the Azure Portal enable admin user on your container registry and use the credentials from that to create the service connection.

answered Jun 10 '19 at 13:30

Steve

313
4
15

5

This solution worked for me. (Thanks, @Steve!) To add a little more detail, in order to enable the admin user option, open your container registry in the portal, go to the "Access keys" tab, and flip the "Admin user" toggle. The user name (which is the same as the registry name) and 2 passwords will then appear below the toggle. Then, in the Service Connection 'Others' form, enter the user name as the Docker ID and use one of the 2 passwords. For Docker Registry, use your ACR's login server as a URL, i.e., `https://yourregistry.azurecr.io`. – user1717528 Jun 11 '19 at 21:40
This problem is still happening to this date. Even tried giving the service principal Contributor rights, but didn't work. Thanks for this solution. – carraua Nov 12 '20 at 15:07
This way worked for me too. Thanks! – Sabri Meviş Aug 30 '23 at 13:21

score 7 · Answer 2 · answered Oct 24 '21 at 20:32

I had this issue when pushing a docker image to Azure Container Registry.

I get the error

unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.

Here's how I fixed it:

My user already had the Owner role to the Container Registry so I had the permission to push and pull images.

The issue was that the admin_user was not enabled in the Azure Container Registry.

All I had to do was to enable the admin user. This generates a username, password, and password2.

Next, you can log in now to Azure Container Registry using the command:

az acr login --name my-container-registry

Tag your docker image

docker tag image-name:image-tag my-container-registry.azurecr.io/image-name:image-tag

And now push image to Azure Container Registry using the command:

docker push my-container-registry.azurecr.io/image-name:image-tag

That's all

Hey, I've just had to [undo some of your edits](https://stackoverflow.com/posts/1125968/revisions), please see [Should I use tags in titles?](https://stackoverflow.com/help/tagging) — Liam, Nov 15 '21 at 15:40
Adding admin-permissions to Azure DevOps Service Connection seems to work. Doing any such thing sounds stupid but insane. Using Service Principal for `docker push` simply won't work with `Docker@2` task. — Jari Turkia, Nov 25 '21 at 16:36

score 6 · Accepted Answer · answered Apr 03 '19 at 12:31

6

remove the docker login step from your build, docker tasks handle auth for you using azure subscription endpoint (if it is properly configured), if not - give your service principal permissions to acrpush).

answered Apr 03 '19 at 12:31

4c74356b41

69,186
6
100
141

score 5 · Answer 4 · answered Jun 01 '22 at 12:59

Case sensitive issue

I created an ACR name: blaH

I can login: az acr login -n blaH

Uppercase characters are detected in the registry name. When using its server url in docker commands, to avoid authentication errors, use all lowercase.
Login Succeeded

docker build -f Dockerfile -t blaH.azurecr.io/some-app:1.0 ..

unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.

switch to lowercase h, i.e. docker build -f Dockerfile -t blah.azurecr.io/some-app:1.0 .. & success :

1.0: digest: sha256:b1e6749eae625e6a3fca3eea36466530460e8cd544af67e88687139a37522ba6 size: 1495

note: it even tells me/us but I wasn't reading it ‍♂️, see the warning printed in yellow in the CLI on acr login.

note 2: I stumbled upon this on reviewing the azure portal & notice the login server was all lowercase:

Yep. This was it for me. Have to rename/rebuild/re-tag the image with all lowercase. Note for other: You can't just change the push command to all lowercase, the image name has to be changed. — Adam Winter, Jul 17 '22 at 20:45

score 0 · Answer 5 · answered May 22 '21 at 01:49

0

Go to Project Settings --> Service connection --> Edit --> revalidate the permission

should fix the problem

answered May 22 '21 at 01:49

eric_eri

699
11
19

score 0 · Answer 6 · answered Jun 24 '21 at 17:35

0

In my case I am tagging my images with 433.

ex: <containerRegistryName>.azurecr.io:443/<imageName>

after removing the 433, and tried to push again, it succeeded!

answered Jun 24 '21 at 17:35

VJPPaz

917
7
21

score 0 · Answer 7 · answered Feb 02 '23 at 04:45

0

I had to drop sudo on my final command as nothing was working for me:

docker push acrname.azurecr.io/image:version

answered Feb 02 '23 at 04:45

John Stud

1,506
23
46

score 0 · Answer 8 · answered Mar 23 '23 at 01:43

only putting it here cause it MIGHT help someone who was as dumb as me.

i had an errant extra space at the end of by registry href so i meant to have

https://example.com

but had

https://example.com <--notice the space

since the task matches on exact href...no match, thus no auth token :(

Push Docker Image task to ACR fails in Azure "unauthorized: authentication required"

8 Answers8

Linked

Related