worried-vr-42710
04/16/2024, 2:06 PMexample_service_endpoint_docker_registry = azuredevops.ServiceEndpointAzureEcr(
"devRegistryDemo",
authorization={
"scheme": "ManagedServiceIdentity",
},
service_endpoint_name="devRegistryDemo",
project_id=example_project.id,
description="",
azurecr_subscription_id="xxxx-xxxxxx-xxxxx",
azurecr_subscription_name="dev",
azurecr_spn_tenantid="XXXX-XXXX-XXX-XXX",
azurecr_name="<http://XXXX.azurecr.io|XXXX.azurecr.io>",
resource_group=""
)
but i get all the time
stderr: error: azuredevops:index/serviceEndpointAzureEcr:ServiceEndpointAzureEcr resource 'devRegistryDemo' has a problem: expected type of "authorization" to be string. Examine values at 'devRegistryDemo.authorization'.
any idea?
and in the definition of authorization is
authorization: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
thanks in advance!!!adventurous-butcher-54166
04/17/2024, 10:31 AMservice_endpoint_authentication_scheme*=*"WorkloadIdentityFederation",
If you want the associated service principal (which has the ADO OIDC federated credentials) to only have permissions to push/pull from ACR you'd only assign AcrPush / AcrPull roles – preferrably scoped down to the particular registry.
What you then have to do to use this in your piplines is to add an AzureCLI task in your ADO pipeline before the Docker task to authenticate against the ACR with the AzureRM service connection. Here's a bash version of that... convert it to Powershell if this is a Windows runner...
- task: AzureCLI@2
displayName: 'Azure Container Registry Login'
inputs:
azureSubscription: $(your-azurerm-oidc-service-connection)
useGlobalConfig: true
scriptType: 'bash'
scriptLocation: inlineScript
inlineScript: |
az acr login --name $(your-registry)
And then you can build/push with the Docker task
- task: Docker@2
displayName: Build
inputs:
command: build
repository: ${{ parameters.your-registry }}/<your-container-repo>
dockerfile: ...
buildContext: ...
tags: ...
worried-vr-42710
04/18/2024, 12:20 PMServiceEndpointAzureRM
i can just use through AzureRM and give them permissions right? Thanks I will try!!! Thanks!!!