Azure DevOps: Add Azure Container Registry in Build Pipeline from different account

About

Asked 24/4, 2019 at 15:30 Answered 29/4, 2019 at 16:58

azure docker azure-devops azure-container-registry

I want to use a Azure Container Registry of a different account in a Build pipeline in Azure DevOps.

When I try to add a Docker Registry Service Connection and select Azure Container Registry, it only lets me choose between the subscription of the current account.

When I try to add the Azure Resource Manager of the Subscription of a different account which contains the Azure Container Registry in the Service Connections, it says it cannot find any Azure Container Registry.

So how do I accomplish this?

Plate answered 24/4, 2019 at 15:30 Comment(2)

My guess is your user account is either an live ID or enterprise account that can be scoped into both azure subscription, but the DevOps system uses a service principal that have no line of sight outside of the Azure AD boundary. If two subscription don't belong to same AAD, could be tricky. Azure support is very responsive, possibly worth a shot. – Guillory 24/4, 2019 at 20:38

Agree with Kai. Also, what is your access level to the second subscription? You might not have the permissions needed to use ACR in that second subscription. Worth looking into. – Tunstall 24/4, 2019 at 23:12

I have the same situation in which the Azure Container Registry (ACR) is in a different Azure AD from the Azure DevOps build pipelines.

I'll outline the steps I used:

Create an app registration in the Azure AD where the ACR exists.
Give it a name like myregistry-app
Go to the myregistry-app Certificates and secrets page and create a new secret. Copy the value as you cannot retrieve it later.
Also copy the myregistry-app application id. You can find it on the overview screen.
Now go to the ACR Access Control (IAM) screen for your container registry.
Add a role assignment and assign the myregistry-app identity the Contributor role.
Back in your build pipeline create a Docker task and click on the New button under the Container Registry section.
In the popup dialog Add a Docker Registry service connection choose the Others radio button.
Put in the URL to your ACR which you can find on the container registry overview page.
Use the application id for myregistry-app as the Docker ID.
Use the myregistry-app secret for the password.

This is currently working for me. There may be a better way

Gibun answered 29/4, 2019 at 16:58 Comment(2)

Haha. How did you come up with that workaround? But you put me in the right direction. The ACR actually has a username and password. When I executed 'az acr credential show -n <registry-name>' I got a username and somehow two passwords. I tried the first one and it works as credentials. – Plate 29/4, 2019 at 17:39

I pieced it together after scouring the internet. I have the impression that it is preferable to use an app/service principal identity as they can be revoked and managed in a more precise manner. – Gibun 29/4, 2019 at 20:5

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags