4

I'm trying to deploy the docker container on Azure App Service from Azure DevOps services. I've pushed the docker image to Azure Container Registry. When I try to create the release definition, I could not able to find the service connection for Azure Container Registry. I have created the service connection for ACR but it's not showing up in the list in Azure DevOps portal.

enter image description here

When I selected 'Azure Container Repository' as the source type, the service connection is not visible in the drop down box. I'm using DockerHub as another option. It's displaying the service connection in the list.

The steps I followed to create the service connection for ACR:

  1. Selected Docker Registry from the list.
  2. Selected Azure Container Registry as Registry Type. Provided the subscription ID and the registry from ACR.
  3. Provided the service connection name and saved.

UPDATE

I have created service connection for Azure Resource Manager using managed identity authentication by providing both subscription id and tenant id. I'm trying to use this connection in Artifact settings. I got the below error.

Variable with name endpoint.serviceprincipalid could not be found for the given service connection.

enter image description here

It's failing to pull the docker image from ACR. The logs from App service shows the pull access denied for the repository.

Service Connection problem solved but facing docker permission issue from App service

2020-02-10 12:31:11.781 INFO  - Pulling image from Docker hub: 
kbdockerregis/kbdockerimage:15

2020-02-10 12:31:14.406 ERROR - DockerApiException: Docker API responded with 
status code=NotFound, response={"message":"pull access denied for 
kbdockerregis/kbdockerimage, repository does not exist or may require 'docker 
login': denied: requested access to the resource is denied"}

2020-02-10 12:31:14.408 ERROR - Image pull failed: Verify docker image 
configuration and credentials (if using private repository)

2020-02-10 12:31:14.412 INFO  - Stoping site kbapp1 because it failed during 
startup.
Kumaresh Babu N S
  • 1,648
  • 5
  • 23
  • 39
  • I am focusing on this and continue on your second error. For your first error, it just because here it only fetch the service connection that type is azurerm. – Mengdi Liang Feb 10 '20 at 10:26
  • Could you press F12, and then click on refresh button which shown in this pic? https://imgur.com/a/mFj7UMZ Next, choose the service connection that you faced above error. Let me know what you saw from F12. – Mengdi Liang Feb 10 '20 at 10:36
  • I checked our source code, and endpoint.serviceprincipalid is the one which will be added into headers when applying ACR in source. But want to know what's happening on your side. – Mengdi Liang Feb 10 '20 at 10:38
  • @MerlinLiang-MSFT The site keep loading. It takes time to display the release settings(Artifact and Staging). – Kumaresh Babu N S Feb 10 '20 at 10:53
  • 1
    Check my below message, and let me know whether **Service Principal Authentication** solved the error. – Mengdi Liang Feb 10 '20 at 11:07

1 Answers1

2

When I selected 'Azure Container Repository' as the source type, the service connection is not visible in the drop down box.

For this first issue, this because the api our system used is shown as below while you choosing ACR as release source:

https://dev.azure.com/{org}/{project}/_apis/serviceendpoint/endpoints?type=azurerm

You can see the parameters this api attached is type=azurerm. It only fetched the service connection which type is Azure Resource Manager. But Container Registry does not belong to this.

So, you'd better to create and use a service connection which type is Azure Resource Manager type.

Variable with name endpoint.serviceprincipalid could not be found for the given service connection.

For this second issue, haven't get too much info from you (like checking stake trace). So based on my known, I'd suggest you changed the type from Managed Identity Authentication to Service Principal Authentication. Then follow this doc to config it.

This is more secure and can authorized firstly.

enter image description here

Service Principal Client id, it is the application id after you create the app in Azure app registrations:

enter image description here

Service principal key:

enter image description here

Stack overflow is a open forum and not secure to share some key info(especially Fiddler trace) which I need and used to investigate from backend. You'd better go here because you could choose Microsoft Only there. If possible, I can go that community and let that community's engineer show it to me. So that I could continue dig into it.

Mengdi Liang
  • 17,577
  • 2
  • 28
  • 35
  • Thanks @Merlin Liang - MSFT. How to get the values for service principal key in Azure AD? – Kumaresh Babu N S Feb 10 '20 at 11:34
  • 1
    @KumareshBabuNS, **Service principal client ID** is the application ID of the application which created in the azure app registration. **Service principal key** is the value of the key that created in the **settings of the app** created in Azure App registrations – Mengdi Liang Feb 10 '20 at 11:41
  • To make sure, Is the service principal key same as object ID? I didn't get the exact service principal key in App Service portal. – Kumaresh Babu N S Feb 10 '20 at 12:04
  • @KumareshBabuNS, ignore my previous comment, I miss your words. See this to get service principal key. https://imgur.com/a/7W3wdJ5 – Mengdi Liang Feb 10 '20 at 12:18
  • 1
    @KumareshBabuNS, We has one blog that described these very detailed. You can see this blog for further known:-) https://www.azuredevopslabs.com/labs/devopsserver/azureserviceprincipal/ – Mengdi Liang Feb 10 '20 at 12:28
  • Thanks @Merlin Liang - MSFT. Sorry for making trouble, I'm new to Azure cloud. I followed the steps mentioned in an image, it got successfully verified :) – Kumaresh Babu N S Feb 10 '20 at 12:29
  • @KumareshBabuNS. it's okay. I understood that since ever got the same trouble with you when I firstly meet azure:-) So the release configuration is succeed for you now? – Mengdi Liang Feb 10 '20 at 12:31
  • Nope. I'm still facing the docker login denied issue. – Kumaresh Babu N S Feb 10 '20 at 12:35
  • How to provide permission for docker login in App Service? – Kumaresh Babu N S Feb 10 '20 at 12:36
  • @KumareshBabuNS, What about the error message "Variable with name endpoint.serviceprincipalid could not be found for the given service connection." Dose that disappeared? – Mengdi Liang Feb 10 '20 at 12:37
  • @KumareshBabuNS, I may need detailed build log here. To see which permission you are lacking. Verified just means the connection to azure is okay. – Mengdi Liang Feb 10 '20 at 12:37
  • Yes, The error message got disappered in the portal. – Kumaresh Babu N S Feb 10 '20 at 12:40
  • @KumareshBabuNS, Awesome! Now just has permission issue. You could check firstly by yourself via setting **system.debug** to **true** in Variables tab. In fact, the detailed log will tell you what you are lacking. – Mengdi Liang Feb 10 '20 at 12:42
  • Yup @Merlin Liang - MSFT I've updated the logs from App Service. – Kumaresh Babu N S Feb 10 '20 at 12:44
  • @KumareshBabuNS, Could you update with the full build log from azure devops? Just paste them [here](https://pastebin.com/). Note: Please set system.debug to true, so that it could print detailed build log. If possible, your pipeline definition added would much be great! (I just off work, would delay on giving you reply) – Mengdi Liang Feb 10 '20 at 13:06
  • @KumareshBabuNS Or you can share your pipeline definition and the complete debug log in new ticket. So that I or others who want to help you could write a detailed steps to you. You know permissions denied is separated with above connections issue. – Mengdi Liang Feb 10 '20 at 13:17
  • Liang- MSFT Sorry for late response. I've shared my pipeline definition in this thread https://stackoverflow.com/questions/60111255/azure-devops-rest-api-to-create-a-release-definition – Kumaresh Babu N S Feb 10 '20 at 15:47
  • Hi @Merlin Liang - MSFT I've fixed the docker login permission issue. I have provided the complete ACR URL in Staging section to fix this issue. It's working good from code change in Azure Repo to running an app on App service. Thanks a lot :) – Kumaresh Babu N S Feb 11 '20 at 07:20
  • SPN is not more secure than managed identity – pabrams Feb 28 '23 at 22:13