Share via

How to get ACR access token from AAD token using Managed Identity

PS 65 Reputation points
2024-05-01T07:55:59.0233333+00:00

Hi,
I am trying to fetch ACR refresh token using AAD token using managed identity

But the oauth2/exchange http call fails with 403 error

 &{403 Forbidden 403 HTTP/1.1 1 1 map[Connection:[keep-alive] Content-Length:[310] Content-Type:[application/json] Date:[Wed, 01 May 2024 07:51:48 GMT] Server:[AzureContainerRegistry] Strict-Transport-Security:[max-age=31536000; includeSubDomains] X-Ms-Correlation-Request-Id:[1b578ccc-ae58-483a-a9bd-764f3b6e11eb] X-Ms-Ratelimit-Remaining-Calls-Per-Second:[333.2]] 0xc0009f56c0 310 [] false false map[] 0xc0007a6700 0xc00077f290}

Below is the golang code snippet used


cred, err := azidentity.NewManagedIdentityCredential(nil)

ctx2 := context.Background()
aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{
Scopes: []string{"https://management.azure.com/.default"}})
	
tenantId := "xxx"
acrService := "xxx.azurecr.io"
formData := url.Values{
		"grant_type":   {"access_token"},
		"service":      {acrService},
		"tenant":       {tenantId},
		"access_token": {aadToken.Token},
}

jsonResponse, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/exchange", acrService), formData)

Do we need to enable any specific roles on the managed identity to fetch ACR refresh token

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
648 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
287 questions
0 comments
Accepted answer
  1. Dan Rios 1,425 Reputation points MVP
    2024-05-01T15:18:14.21+00:00

    You need to at least assigned the 'acrPull' role to the managed identity you want to use to pull the image (assuming to Azure Container Apps by your tag).

    https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli&WT.mc_id=MVP_319025

    Role/Permission Access Resource Manager Create/delete registry Push image Pull image Delete image data Change policies Sign images
    Owner X X X X X X
    Owner X X X X X X
    Contributor X X X X X X
    Reader X X
    AcrPush X X
    AcrPull X
    AcrDelete X
    AcrImageSigner X
    • Go to the ACR Resource > Access Control (IAM) > Add > Add role assignment > role: acrPull (and acrPush if required to push images) > Members tab: Select Managed Identity and select the system-assigned MI you want to use > review + assign to complete

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest