Skip to content

Connect to ACR

Connecting to the ACR

ACR stands for Azure Container Registry and it is a place where most images used in the job service are to be located. When developing new applications or scripts that should run in the job service it may be beneficial to be able to pull a source image to your local machine so that it can be run locally. This guide should show you how that is done. We will show how to connect to the development instance of ACR, which is used in the DEV environment. Theroretically the same approach could be used for the production ACR too, but it is less likely that you should need to use that for development purposes. Therefore we will focus on the development instance called dhiacrdev.

Azure CLI

In this guide we will use Azure CLI commands (CLI stands for "command line interface"). These commands can be installed into your shell of choice such as Powershell or Linux bash. Run the commands below or do a google search on how to install Azure CLI to your machine

run this as administrator, also see link 

$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi

see link 

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Login into Azure AD

First, you need to have a user account in the Azure Active directory instance. Try to run 

az login
command in your shell. The command should open a browser window, where you should be able to login using your company credentials. If the login fails, please contact wdpservice@dhigroup.com with a request to be invited into Azure AD (please reference this guide for context). When your login works correctly, the command may output something like this:

pazy@PAZY-PC2:~$ az login
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...
The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.
4c2ebde0-11c8-45fa-9a22-3be5b8203a88 'DHIGROUP-DEV-EXT'
78aea235-5504-473a-b023-17438be8cf2e 'MIKE Cloud'
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "cbcfe570-7589-4ed8-844e-d936f2572baf",
    "id": "e5ddb639-acd4-4a7d-8692-bb95191e8984",
    "isDefault": false,
    "managedByTenants": [],
    "name": "DHI - MIKE - PROD",
    "state": "Enabled",
    "tenantId": "cbcfe570-7589-4ed8-844e-d936f2572baf",
    "user": {
      "name": "pazy@dhigroup.com",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "cbcfe570-7589-4ed8-844e-d936f2572baf",
    "id": "b7983fd2-3846-4d9d-9c07-0497ed935ab1",
    "isDefault": false,
    "managedByTenants": [],
    "name": "p11095675 VM templates",
    "state": "Enabled",
    "tenantId": "cbcfe570-7589-4ed8-844e-d936f2572baf",
    "user": {
      "name": "pazy@dhigroup.com",
      "type": "user"
    }
  },

In some cases your account may be associated with multiple Azure AD instances. In that case it may be necessary to run 

az account set --subscription="DHI - MIKE - DEV"
to indicate you wish to work in the context of the MIKE DEV susbcription, where the development instance of ACR is located.

Get access token

Now that you can login into the Azure, you can try to login into the ACR itself. You need to be explicitly granted access to it. Try running 

az acr login -n dhiacrdev --expose-token
to login into the development instance of ACR. If the login fails, you need to ask for privileges - please contact wdpservice@dhigroup.com and reference this guide for context. If the login works, you should see a response like this

pazy@PAZY-PC2:~$ az acr login -n dhiacrdev --expose-token
You can perform manual login using the provided access token below, for example: 'docker login loginServer -u 00000000-0000-0000-0000-000000000000 -p accessToken'
{
  "accessToken": "eyJhbGciOiJ...",
  "loginServer": "dhiacrdev.azurecr.io"
}
The command returns a JSON object with an access token. We will need the token for further steps, so let's store it in a variable

$response=az acr login -n dhiacrdev --expose-token
$token=($response | ConvertFrom-Json).accessToken

this uses jq to parse json objects, use sudo apt install jq to install it 

response=$(az acr login -n dhiacrdev --expose-token)
token=$(echo $response | jq -r '.accessToken')

Docker login

Now that you have method of authenticating against the remote repository, you can connect it to your local container repository. In many cases you might be using Docker Desktop to develop and run container images, but there are also alternatives like podman. Execute the following command to be able to be able to pull from images "dhiacrdev" registry.

docker login dhiacrdev.azurecr.io --password $token --username=00000000-0000-0000-0000-000000000000

podman login dhiacrdev.azurecr.io -u 00000000-0000-0000-0000-000000000000 -p $token

The empty guid is not an error, it is by design (in this case it is the token that contains the user id).

Pull image

Now you should be able to execute a pull command to get the image you want.

docker pull dhiacrdev.azurecr.io/dhi-spahost:20220520.1-main

podman pull dhiacrdev.azurecr.io/dhi-spahost:20220520.1-main