Cannot push to Azure Container Registry
Answered
The docs say that it is possible to push docker images to ACR by setting up a Docker Registry connection in the project. However, although the docker build step works, the docker push step fails with: "denied: requested access to the resource is denied"
The connection is supposed to cause a login to the registry at the start of the build but this appears to not be happening since I cannot see it in the build log and the error above sounds like it is not logged in.
Did I miss a setup step?
Please sign in to leave a comment.
Hi Luke,
did you add the Docker Support build feature with the required connection for the build configuration?
Hi Nadia, I have set all of that up.
This is a really simple build, just to get the Docker pipeline up and running so there shouldn't be anything weird in the docker file etc.
Sorry, but just to be sure - you added a build feature and selected checkbox `Log in to the Docker registry before the build`?
Do you see any errors in a build log in Verbose mode? Could you please also check teamcity-agent.log? Do you see any warnings there?
If everything configured correctly you should see in teamcity-agent.log the following line:
The TC log shows the following entry against the builds:
[2019-09-06 11:12:44,740] INFO - rains.buildServer.AGENT.DOCKER - Run: cmd.exe /c "docker login -u "******" --password-stdin example.azurecr.io"
[2019-09-06 11:12:45,140] INFO - uildStages.BuildStagesExecutor - Call stage jetbrains.buildServer.agent.impl.buildStages.startStages.CleanAgentTempDirectoryStage
teamcity-agent.log doesn't show any warnings or errors for the build, although the web UI shows the permission error.
The agent was able to log-in under the specified user before a build without any errors. Could you please try to push under the same user manually in a command line without any problems (e.g., manually execute `docker login XXX` and after that `docker push`)?
OK, I found the issue which is not TeamCity as such (although the UI and docs probably need updating to be clearer).
When using Azure Container registry (and it looks like Docker Hub is the same according to Google), after building the image, you need to tag it with the URL of the registry like:
docker tag dockerservice1:v1.0 example.azurecr.io/dockerservice1:v1.0
Then you can push it to the remote registry! I guess that the URL itself does not identify the actual registry, it needs to be in the tag. Once this is done, the image is correctly listed in Azure and the registry URL is not included in the repo name or version. It just shows as dockerservice1 and v1.0
Thank you for letting us know, and I'm glad that you were able to solve the issue.