Search code examples
dockerauthenticationazure-container-registry

Using Tokens from an Azure Container Registry to Call the /_tags Endpoint

Edit

I've added an issue on github for this Azure ACR Repo. I think Tokens just came out of Preview and this may be a bug.

Edit 2

That github isn't for posting issues... I have to figure out how to create a support ticket which is buried under some custom 'Support Request Contributor' role in the IAM interface. Why is it so hard to report bugs!?

Original I have generated an access token for my Azure Container Registry (ACR) using the Token Menu. I would like to use this access token to call the /_tags endpoint for a specific image in the registry, but I am not sure how to do this.

I can use the token to login using the docker login command in powershell, but the only way I've been able to get the api call to work is by using the admin account credentials.

Token menu item screen shot

Can someone provide guidance on how to use the access token to call the /_tags endpoint Get List - Rest API Docs for an image in the ACR?

Here is the code I have tried so far, it returns 401 Unauthorized: (Note: I've also tried generating a bearer token using : https://myRegistry.azurecr.io/oauth2/token?service=myRegistry.azurecr.io&scope=registry:catalog:* and using that for authentication. I got the token but the results are the same.)

var registryUrl = "https://myRegistry.azurecr.io";

// Set up the HTTP client
var httpClient = new HttpClient();
httpClient.BaseAddress = new Uri(registryUrl);
byte[] byteArray = Encoding.ASCII.GetBytes($"tokenName:tokenPassword"); //given by the azure token interface
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic",Convert.ToBase64String(byteArray));

// Call the /_tags endpoint to retrieve the list of tags for the image
var imageReference = "my-image";
var response = await httpClient.GetAsync($"/acr/v1/{imageReference}/_tags");
if (response.IsSuccessStatusCode)
{
    var json = await response.Content.ReadAsStringAsync();
    var imageTagResponse= JsonConvert.DeserializeObject<DockerImageRegistryResponse>(json);
    foreach (var tag in imageTagResponse.Tags)
    {
        Console.WriteLine(tag.Name);
    }
}

The error I get back:

{
    "errors": [
        {
            "code": "UNAUTHORIZED",
            "message": "authentication required, visit https://aka.ms/acr/authorization for more information.",
            "detail": [
                {
                    "Type": "repository",
                    "Name": "my-image",
                    "Action": "metadata_read"
                }
            ]
        }
    ]
}

I thought maybe the "Action" was a clue so I created a custom scope for the Token that explicitly included "metadata_read" but that didn't help.

Solution

  • When using tokens with a container registry, you need to authenticate via the oauth/token API of the container registry. Using the API you can create a bearer token to authenticate the token request against the registry.

    More details can be found on https://github.com/Azure/acr/issues/676 and https://azure.github.io/acr/Token-BasicAuth.html#using-the-token-api