Hi, I'm trying to get pulumi to build a docker ima...
# general
Hi, I'm trying to get pulumi to build a docker image and then publish it to my newly created (in the same stack) ACR instance. The ACR has AdminUserEnable = true, and I figured I might be able to use the code in the pulumi docs (https://www.pulumi.com/blog/build-publish-containers-iac/) to get the credentials, then tag/publish the image. However, when I deploy I get this Diagnostics: pulumipulumiStack (traffic-app-basic): error: Running program 'G:\src\aks-pulumi\infrastructure\bin\Debug\netcoreapp3.1\infrastructure.dll' failed with an unhandled exception: Grpc.Core.RpcException: Status(StatusCode="Unknown", Detail="invocation of azure-nativecontainerregistrygetRegistryCredentials returned an error: request failed /subscriptions/50d3206e-7317-4bce-b8ac-34ac81 4fd0f5/resourceGroups/aksrg-basic9f0f894e/providers/Microsoft.ContainerRegistry/registries/registrybasic303721fe/getCredentials: autorest/azure: Service returned an error. Status=400 Code="NoRegisteredProviderFou nd" Message="No registered resource provider found for location 'switzerlandnorth' and API version '2016-06-27-preview' for type 'registries/GetCredentials'. The supported api-versions are '2016-06-27-preview'. T he supported locations are 'westus, eastus, southcentralus, westeurope'."") at async Task<InvokeResponse> Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request) at async Task<SerializationResult> Pulumi.Deployment.InvokeRawAsync(string token, SerializationResult argsSerializationResult, InvokeOptions options) at async Task<OutputData<T>> Pulumi.Deployment.RawInvoke<T>(string token, InvokeArgs args, InvokeOptions options) at async Task<OutputData<U>> Pulumi.Output<T>.ApplyHelperAsync<U>(Task<OutputData<T>> dataTask, Func<T, Output<U>> func)
I tried that too and the API was not available in my region (Canada), so what I did (in the CI) is that I run `docker login <name of my registry>.azurecr.io -u <service principal id that has push write on the registry> -p <service principal password>`then I don't have to get the credentials from the registry and the push can be pushed because docker daemon is logged in to ACR. Locally, I only do
az acr login -n <name of my registry>
and then run pulumi up and because I have push writes to the registry, the image is pushed to the registry
🙏 1
I'll give that a shot - I thought that is what the DockerBuild object was trying to do (as I changed over to service principals), but that fails as well. How did you get the SP password out of pulumi, its marked as a secret so unless I make an output and then use pulumi output "myspnpass" --show-secrets not sure how i would get that.
It is a service principal that I created with
az ad sp
which is used in my CI pipeline.
but if you create a SP with pulumi you can manage the password and the role assignment:
Copy code
// Create an AD service principal
        var adApp = new Application("aks", new ApplicationArgs
           DisplayName = "aks"
        this.AdApplication = adApp.ApplicationId;

        var adSp = new ServicePrincipal("aksSp", new ServicePrincipalArgs
            ApplicationId = adApp.ApplicationId

        // Create the Service Principal Password
        var adSpPassword = new ServicePrincipalPassword("aksSpPassword", new ServicePrincipalPasswordArgs
            ServicePrincipalId = adSp.Id
        this.AdPassword = adSpPassword.Value;

        _ = new AzureNative.Authorization.RoleAssignment("roleAssignment", new AzureNative.Authorization.RoleAssignmentArgs
            PrincipalId = adSp.Id,
            PrincipalType = "ServicePrincipal",
            RoleDefinitionId = "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
            Scope = "/subscriptions/<subscription id>/resourceGroups/<rg of the acr>/providers/Microsoft.ContainerRegistry/registries/<acr name>",
👍 1