Share via

az acr run --cmd "acr purge --help" is blocked by the registry firewall

alex 111 Reputation points
2021-03-29T20:44:02.337+00:00 
$ az acr run --cmd "acr purge --help" /dev/null
Queued a run with ID: ca4
Waiting for an agent...
2021/03/29 20:11:29 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2021/03/29 20:11:29 Creating Docker network: acb_default_network, driver: 'bridge'
2021/03/29 20:11:29 Successfully set up Docker network: acb_default_network
2021/03/29 20:11:29 Setting up Docker configuration...
2021/03/29 20:11:30 Successfully set up Docker configuration
2021/03/29 20:11:30 Logging in to registry: ${REGISTRY_NAME}.azurecr.io
failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get https://${REGISTRY_NAME}.azurecr.io/v2/: denied: client with IP '20.42.67.3' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
: exit status 1
Run ID: ca4 failed after 10s. Error: failed during run, err: exit status 1
Run failed

"Allow trusted Microsoft services to access this container registry" is checked. I am guessing that whitelisting various azure ips is not the right solution here. So what is?

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
511 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 26,492 Reputation points Moderator
    2021-03-30T11:25:27.55+00:00

    @alex

    From the issue description, I see the ACR name is not being referenced as a variable rather, the variable name itself is being used. Ideally, the REST API call should not be https://${REGISTRY_NAME}.azurecr.io/v2/ but to a real valid ACR endpoint. I am not sure if you have changed this for privacy reason while posting the question.

    Trusted Azure Services for ACR are only ACR Tasks, Azure ML and other ACR's. If that is checked then only these will be allowed access. If the request ID coming from elsewhere then you have to mention the public IP address of the source or CIDR from which it might be generated.

    Please check this document, for details on the Trusted Services.

    Hope this helps.

  2. Peter Romfeld 1 Reputation point
    2022-02-01T12:32:47.957+00:00

    i am having similar issue.

    we also have a registry with ip whitelist and i am unable to run the acr run command

    i tried with --auth-mode None and also made sure that trusted services are allowed, but to no avail (also client IP keeps changing) :(

    > az acr run --registry my-registry --cmd "acr purge --dry-run --untagged --ago 7d --keep 3 --filter \"my-image:.*\"" /dev/null

Queued a run with ID: cb11
Waiting for an agent...
2022/02/01 12:28:40 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2022/02/01 12:28:40 Creating Docker network: acb_default_network, driver: 'bridge'
2022/02/01 12:28:40 Successfully set up Docker network: acb_default_network
2022/02/01 12:28:40 Setting up Docker configuration...
2022/02/01 12:28:40 Successfully set up Docker configuration
2022/02/01 12:28:40 Logging in to registry: my-registry.azurecr.io
failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get "https://my-registry.azurecr.io/v2/": denied: client with IP '52.178.20.38' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
: exit status 1

> az acr run --auth-mode None --registry my-registry --cmd "acr purge --dry-run --untagged --ago 7d --keep 3 --filter \"my-image:.*\"" /dev/null

Queued a run with ID: cb12
Waiting for an agent...
2022/02/01 12:29:03 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2022/02/01 12:29:03 Creating Docker network: acb_default_network, driver: 'bridge'
2022/02/01 12:29:03 Successfully set up Docker network: acb_default_network
2022/02/01 12:29:03 Setting up Docker configuration...
2022/02/01 12:29:04 Successfully set up Docker configuration
2022/02/01 12:29:04 Executing step ID: acb_step_0. Timeout(sec): 600, Working directory: '', Network: 'acb_default_network'
2022/02/01 12:29:04 Launching container with name: acb_step_0
Error: unable to resolve authentication, missing identity token or password

    my azure-cli:

    > az --version

azure-cli                         2.32.0

core                              2.32.0
telemetry                          1.0.6

Dependencies:
msal                              1.16.0
azure-mgmt-resource               20.0.0

Python location '/nix/store/i6vabb4div9iy6lsl642d86k1q8riasn-python3-3.9.9/bin/python3.9'
Extensions directory '/home/peter/.azure/cliextensions'

Python (Linux) 3.9.9 (main, Nov 15 2021, 18:05:17) 
[GCC 10.3.0]
    0 comments
  3. Anonymous
    2022-10-20T14:03:21.307+00:00

    Same issue here. After enabling firewall on ACR, our purge task no longer works. The agents will fail, not being able to connect to the registry. However I have checked that trusted microsoft servrices should be allowed to access.

  4. Richard Sanderson-Pope 0 Reputation points
    2023-11-22T07:46:17.6466667+00:00

    I was suffering the same issue but in my case, it was on a basic instance of ACR with no explicit security set up. In my case, I found that the solution was adding -r <REGISTRY_NAME> to the acr purge command. The following command has worked for me.

    az acr run --registry <REGISTRY_NAME> --cmd 'acr purge -r <REGISTRY_NAME> --filter ''.*:.*'' --dry-run --keep 10 --ago 100d --untagged' /dev/null
    0 comments
  5. SudhirKumar Sampathkumar 25 Reputation points
    2025-04-02T22:29:56.2433333+00:00

    @vipullag-MSFT I read the posts above but seems no solution was found. My ACR is having private endpoints

    but when I try running azure cli task

            - task: AzureCLI@2
          displayName: azureclitask
          inputs:
            azureSubscription: ${{ variables.armServiceConnection }}
            scriptType: bash
            scriptLocation: inlineScript
            inlineScript: |
              az acr run --registry acrsharedcscrdevcnc01 --cmd 'acr purge --help' /dev/null

    But I got the below response 

    WARNING: Queued a run with ID: cx3
WARNING: Waiting for an agent...
2025/04/02 20:02:39 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2025/04/02 20:02:39 Creating Docker network: acb_default_network, driver: 'bridge'
2025/04/02 20:02:39 Successfully set up Docker network: acb_default_network
2025/04/02 20:02:39 Setting up Docker configuration...
2025/04/02 20:02:40 Successfully set up Docker configuration
2025/04/02 20:02:40 Logging in to registry: acr.azurecr.io
failed to login, ran out of retries: failed to set docker credentials: Error response from daemon: Get "https://acrsharedcscrdevcnc01.azurecr.io/v2/": denied: client with IP '4.XXX.XXX.XXX' is not allowed access. Refer https://aka.ms/acr/firewall to grant access. CorrelationId: 99857da8-3f13-4fb0-a1ae-a3645b25e40d
: exit status 1

    Any help would be appreciated. I'm running the microsoft hosted agent pool so it does have connectivity into azure subscription and acr.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.