Unable to remove quarantine flag for ACR images

Question

I have a scenario like quarantine flag is enabled for ACR images and need to pull the image after it has passed. I have used the below commands in Azure CLI to remove quarantine flag for particular ACR image:

export acr_access_token=$(az acr login --name cr --expose-token --output tsv --query accessToken)
curl --header 'authorization: Bearer $acr_access_token' 
     --header 'Host: cr.azurecr.io' 
     --request PATCH --url https://cr.azurecr.io/acr/v1/msc-todo/_manifests/sha256:651d76853edb22c702bb30aeb099a411015e92a347182fe6028f81efc8ef47f4 
     --data '{"quarantineState": "Passed",
              "quarantineDetails": "{\"state\":\"scan 
               passed\",\"link\":\"http://test.io/test\"}" }'`

I have followed this document https://github.com/Azure/acr/tree/main/docs/preview/quarantine Now I am getting unauthorized when sending PATCH request. I am using service connection which has AcrQuarantineWriter role.

I have passed access token which had quarantine read & write role to the PATCH method. I expected that quarantine will be removed for that image but it gave unauthorized action.

Answer 1

I tried in my environment and got below results:

I have an Container registry with one image with quaratine ploicy - "enabled".

I assigned a role ACRQuarantineWriter to my service principal to un quarantine flag and I tried with post man to get the bearer token:

Postman:

GET https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
grant_type:client_credential
resource:https://management.core.windows.net

We need to exchange this for an ACR token. This transaction involves two stages. The Azure AD token is first converted into an ACR refresh token, which is subsequently converted into an ACR access token.

Postman:

POST https://{acr name}.azurecr.io/oauth2/exchange
tenant : Azure AD Tenant ID
grant_type : access_token
service = {acr name}.azurecr.io
access_token = bearer token

Now using the refresh token, you need to get the access token.

Postman:

POST https://{acr name].azurecr.io/oauth2/token
grant_type = refresh_token
service = name of your ACR repo including azurecr.io suffix
scope = repository:{acr}:pull, push
refresh_token = token from the previous step

Now you can use PATCH method to un-quarantine our image.

https://{acrname}.azurecr.io/acr/latest/<repo name>/_manifests/sha256:963612c5503f3f1674f315c67089dee577d8cc6afc18565e0xxxxxxxxxxxxxxx

If you need to get the digest value you can use below command:

az acr repository show-manifests --name {ACR Name} --repository {repository name} --detail

On the Body tab, select “raw” and then “JSON” from the drop-down in the Body section enter JSON like below:

  {
        "quarantineState": "Passed", 
        "quarantineDetails": "{\"state\":\"scan passed\"}"
    }

Postman:

Portal:

In portal, The image is no longer quarantined and is ready for use.