skopeo: Authenticating with Azure via az acr login seems broken?

I executed:

az acr login
skopeo copy docker://xyz.azurecr.io/... docker://xyz.azurecr.io/...

and I expected Skopeo to successfully copy from the source to the destination. Instead I got this output:

Getting image source signatures
FATA[0001] trying to reuse blob sha256:339de151aab4bc06eed8409daae147c408478cb538dacb90cc63f19ad4eba80b at destination: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.

The only way I can seem to get skopeo to use credentials with Azure is:

az acr login -n xyz --expose-token \
    | jq -r '.accessToken' \
    | skopeo login haildev.azurecr.io \
      --username 00000000-0000-0000-0000-000000000000 \
      --password-stdin
skopeo copy docker://xyz.azurecr.io/... docker://xyz.azurecr.io/...

Is this the expected behavior?

I’m on Mac OS X 11.6

(base) # skopeo --version
skopeo version 1.5.1
(base) # az --version
azure-cli                         2.30.0 *

core                              2.30.0 *
telemetry                          1.0.6

Python location '/usr/local/Cellar/azure-cli/2.30.0_1/libexec/bin/python'
Extensions directory '/Users/dking/.azure/cliextensions'

Python (Darwin) 3.10.0 (default, Oct 13 2021, 06:45:00) [Clang 13.0.0 (clang-1300.0.29.3)]

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 4
  • Comments: 24 (1 by maintainers)

Most upvoted comments

Hello, I Have the same issue with Azure ACR credentials but only when using tokens to connect instead of accessKey(user+password). I tried:

  • Both Azure user+pwd and tokenName+secret with docker -> OK
  • user+pwd with skopeo -> OK
  • tokenName+secret -> KO

For me the issue is not in the tokenName+Secret because I am able to user them in docker and it works

When I add debug info in the src code, the error message of Azure registry is:

**HTTP/1.1 401 Unauthorized**
Server: openresty
Date: ......
Content-Type: application/json; charset=utf-8
Content-Length: 221
Connection: keep-alive
Access-Control-Expose-Headers: Docker-Content-Digest
Access-Control-Expose-Headers: WWW-Authenticate
Access-Control-Expose-Headers: Link
Access-Control-Expose-Headers: X-Ms-Correlation-Request-Id
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Www-Authenticate: Bearer realm="https://XXXXX.azurecr.io/oauth2/token",service="XXXXXX.azurecr.io",scope="repository:ZZZZZZZZZZZZ:metadata_read",error="**insufficient_scope**"
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 654321-654654-321654-a914-987654651321
Strict-Transport-Security: max-age=31536000; includeSubDomains

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information.","detail":[{"Type":"repository","Name":"XXXXXXXX","Action":"metadata_read"}]}]}

The only difference i noted with legitimate call is the content of the Bearer Token which has no Role in the the invalid call

Hope it will help

+1
amine-khemissi on Mar 9, 2022
Read more comments on GitHub
← podman: XDG_RUNTIME_DIR directory "/run/user/1000" is not owned by the current user
skopeo: Image format docker-archive is not equivalent to docker save  →