docker
Using private networking setup, docker/login-action says access denied to IP address
Contributing guidelines
- [X] I've read the contributing guidelines and wholeheartedly agree
I've found a bug, and:
- [X] The documentation does not mention anything about my problem
- [X] There are no open or closed issues that are related to my problem
Description
I'm following the instructions here to configure private networking in GitHub so I can use GitHub hosted runners to deploy to resources behind private IP. Hoping to use this feature so as not to have to create and maintain self-hosted runners.
https://docs.github.com/en/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization
The azure/login has its own problems, but worked after I removed the NSG (which is another issue and I have to find a way around it). But even with the NSG removed, the docker/login-action step fails. There is no firewall. There is no private IP involved yet.
Expected behaviour
docker/login-action should log in to access my Azure Container Registry. As the link supplied in the description says, GitHub created a NIC and is connecting inside the VNET. So there should be no need to explicitly open access through use of a NSG or firewall setting as far as I can tell.
Actual behaviour
Error: Error response from daemon: Get "https://***/v2/": denied: client with IP '13.68.227.248' is not allowed access. Refer https://aka.ms/acr/firewall to grant access.
Repository URL
No response
Workflow run URL
No response
YAML workflow
on:
workflow_dispatch:
#[push]
name: Linux_Container_Workflow
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: LinuxRunner
steps:
# checkout the repo
- name: 'Checkout GitHub Action'
uses: actions/checkout@main
- name: 'Login via Azure CLI'
uses: azure/[email protected]
with:
# client-id: ${{ secrets.AZURE_CLIENT_ID }}
# tenant-id: ${{ secrets.AZURE_TENANT_ID }}
# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# creds: ${{ secrets.AZURE_CREDENTIALS }}
creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
- name: Azure CLI script
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
az account show
- name: 'Build and push image'
uses: docker/login-action@v3
with:
registry: ${{ secrets.REGISTRY_LOGIN_SERVER }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- run: |
docker build . -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/integrationAPI:${{ github.sha }}
docker push ${{ secrets.REGISTRY_LOGIN_SERVER }}/integrationAPI:${{ github.sha }}
- name: 'Deploy to Azure Container Instances'
uses: 'azure/aci-deploy@v1'
with:
resource-group: ${{ secrets.RESOURCE_GROUP }}
dns-name-label: ${{ secrets.RESOURCE_GROUP }}${{ github.run_number }}
image: ${{ secrets.REGISTRY_LOGIN_SERVER }}/integrationAPI:${{ github.sha }}
registry-login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
registry-username: ${{ secrets.REGISTRY_USERNAME }}
registry-password: ${{ secrets.REGISTRY_PASSWORD }}
name: integrationAPI
location: 'east us'
Workflow logs
BuildKit logs
No response
Additional info
The ACR is in its own subnet, and the configuration for the github access is in another, in the same VNET.
Update: I created three new outgoing NSG rules to see if it would allow access to login.microsoftonline.com for the action/login issue I mentioned:
AllowAzureCloudOutbound - Any/* -> Service Tag/AzureCloud HTTPS Allow 100 AllowAzureADOutbound - Any/* -> Service Tag/AzureActiveDirectory HTTPS Allow 110 AllowAzureFrontDoorOutbound - Any/* -> Service Tag/AzureFrontDoor.Frontend HTTPS Allow 100
The documentation in the link supplied did not have these rules. It seems this solved the docker/action-login issue as well as the azure/login issue. I'm going to test some more, but at this moment this appears to be the fix.