Search code examples
azuredockerazure-container-registry

how to use access token generated from rest api for ACR login?


I am generating Access Token using https://learn.microsoft.com/en-us/rest/api/containerregistry/access-tokens/get-from-login?tabs=HTTP rest endpoint. Getting access token but how to use it for docker login?

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions in this doc, they are using UI and cli for this. and they have username also. but while doing from rest api, didn't have any username.

Using rest api (changed values)

GET /oauth2/token?service=demoregistry.azurecr.io&scope=registry:catalog:* HTTP/1.1
Host: demoregistry.azurecr.io
Authorization: Basic ZGVtb3JlZ2lzdHJ5OmNDZWJ3UU9jN1BzM1poQndGMzg2LzBPdndCZU1vTQ==

Tried

  • Registry username and access token as the password. (Error unauthorized: incorrect username or password)
  • rid / jti as username and access token as the password (Error unauthorized: Application not registered with AAD)

Token (changed values)

Header

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "QWFG:M237:K2HA:33DK:5PGT:CA3M:DBN3:XOQB:A5QB:I63Q:AT3Q:NQAK"
}

Payload

{
  "jti": "69853560-dc76-4458-8bac-137f33121e39",
  "sub": "demoregistry",
  "nbf": 1669691010,
  "exp": 1669695510,
  "iat": 1669691010,
  "iss": "Azure Container Registry",
  "aud": "demoregistry.azurecr.io",
  "version": "1.0",
  "rid": "f013d21b1c1349ecb85457182a1b1466",
  "access": [
    {
      "Type": "registry",
      "Name": "catalog",
      "Actions": [
        "*"
      ]
    }
  ],
  "roles": [
    "Owner"
  ],
  "grant_type": "access_token"
}

Solution

  • I found an answer while generating a token from Az cli, it gives 00000000-0000-0000-0000-000000000000 as a username. and this username works with tokens generated from the rest API.