How to get ACR access token from AAD token using Managed Identity

Question

How to get ACR access token from AAD token using Managed Identity

PS 170

Hi,
I am trying to fetch ACR refresh token using AAD token using managed identity

But the oauth2/exchange http call fails with 403 error

 &{403 Forbidden 403 HTTP/1.1 1 1 map[Connection:[keep-alive] Content-Length:[310] Content-Type:[application/json] Date:[Wed, 01 May 2024 07:51:48 GMT] Server:[AzureContainerRegistry] Strict-Transport-Security:[max-age=31536000; includeSubDomains] X-Ms-Correlation-Request-Id:[1b578ccc-ae58-483a-a9bd-764f3b6e11eb] X-Ms-Ratelimit-Remaining-Calls-Per-Second:[333.2]] 0xc0009f56c0 310 [] false false map[] 0xc0007a6700 0xc00077f290}

Below is the golang code snippet used


cred, err := azidentity.NewManagedIdentityCredential(nil)

ctx2 := context.Background()
aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{
Scopes: []string{"https://management.azure.com/.default"}})
	
tenantId := "xxx"
acrService := "xxx.azurecr.io"
formData := url.Values{
		"grant_type":   {"access_token"},
		"service":      {acrService},
		"tenant":       {tenantId},
		"access_token": {aadToken.Token},
}

jsonResponse, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/exchange", acrService), formData)

Do we need to enable any specific roles on the managed identity to fetch ACR refresh token

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Dan Rios 2,040 MVP

You need to at least assigned the 'acrPull' role to the managed identity you want to use to pull the image (assuming to Azure Container Apps by your tag).

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli&WT.mc_id=MVP_319025

Role/Permission	Access Resource Manager	Create/delete registry	Push image	Pull image	Delete image data	Change policies	Sign images
Owner	X	X	X	X	X	X
Owner	X	X	X	X	X	X
Contributor	X	X	X	X	X	X
Reader	X			X
AcrPush			X	X
AcrPull				X
AcrDelete					X
AcrImageSigner							X

Go to the ACR Resource > Access Control (IAM) > Add > Add role assignment > role: acrPull (and acrPush if required to push images) > Members tab: Select Managed Identity and select the system-assigned MI you want to use > review + assign to complete

PS 170 Reputation points

2024-05-02T06:39:22.08+00:00

Thanks @Dan Rios for a quick response.
I am still facing same error even after assigning 'acrPull' and 'Reader' role to the managed identity.
I have assigned the role at the scope of "Resource Group". Is this scope correct ?

Please note:
The above tests were run on "Azure Container Instances" but I am facing the same issue on "Azure Container Apps" as well. I need this functionality for both Azure Container Apps and Azure Container Instances.
Can you please confirm if we can use the same implementation for both "Azure Container Instances" and "Azure Container Apps".

(updated the tag on the ticket to include ACI)
Dan Rios 2,040 Reputation points MVP

2024-05-02T06:47:17.45+00:00

Ah okay. So you need to go to the Azure Container Registry resource not the container instance.

When you’re at the ACR resource then on the Access Control you need to add the managed identity object of the Azure Container Instance as acrPull on the ACR IAM, then you can retry.

The process will be the same for anything AKS, ACA or ACI.

You’re giving the managed identity of the resource that needs access to the ACR permissions to pull the image from the registry.

does that resource group include your ACR?
PS 170 Reputation points

2024-05-02T08:54:45.1233333+00:00

Thanks @Dan Rios

I doubt if we could take the route of Assigning managed identity "acrRole" at the registry level .
Is there any other way to authenticate a acr registry using golang.

My primary requirement is to fetch the image details, basically image ID and image SHA from a running container in ACA / ACI
Dan Rios 2,040 Reputation points MVP

2024-05-02T09:30:32.61+00:00

If you have say an Azure Container Instance and you want to get image info/login to the ACR/pull a new image from ACR to ACI/ACA then the resource managed identity (ACI/ACA in this case) needs to have acrPull role assigned to the ACR so it can authenticate.

I am not too familiar with go but if it's just leveraging the MI to authenticate then this should be fine. Unless I am misunderstanding the requirements, then I apologise for the confusion.

There's some good info here which may be of interest:

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/container-apps/managed-identity-image-pull?tabs=azure-cli&pivots=azure-portal

Golang guide specifically with MI & ACA access to an ACR:

https://samkreter.medium.com/managed-identities-with-azure-container-instance-golang-c98911206328

Hope it helps you out
PS 170 Reputation points

2024-05-02T15:19:54.0766667+00:00

Thanks @Dan Rios for your prompt help.
I'll look into the references
PS 170 Reputation points

2024-06-17T08:33:36.01+00:00
Hi @Dan Rios , As suggested by you, I have tried to add the role on the ACR resource, but I am still getting the unauthorised error.

{401 Unauthorized %!s(int=401) HTTP/1.1 %!s(int=1)

Primarily I am trying to fetch acr_access token from acr_refresh token. I could successfully fetch the refresh token by assigning acrPull role assigned to the ACR. However, fetching acr_access token fails with the above error.

I am referring https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#calling-post-oauth2token-to-get-an-acr-access-token to fetch the access token.

can you please suggest if I am still missing any roles. I have added some additional roles as well to get rid of error, but no luck
PS 170 Reputation points

2024-06-19T08:54:43.4366667+00:00

Quick update on this.
I was using the incorrect link to fetch Access token from refresh token. Setting the correct link helped to resolve the issue .

Share via

How to get ACR access token from AAD token using Managed Identity

0 additional answers

Your answer