Is there a better way for `az acr import ...` instead of `AzureCLI@2` in Azure DevOps?
I need to "sync/import/copy" a Container Image from registry A in subscription A to registry B to subscription B. It is possible to make this with az acr import ... as documented in Import from a registry in a different subscription
.
The flow should be like the following description.
- Image in registry A is build and tested by Dev Peoples.
- After some tests and several builds is a deployable Image in registry A
- Via a Webhook in Azure DevOps Pipeline will the image:vX.V from registry A "sync/import/copy" to registry B.
- Azure DevOps Pipeline triggers the
az acr import ...to import the image:vX.V from registry A to registry B
I think it's something similar to GitOps with Azure DevOps and Flux .
Now the question: Is the AzureCLI@2 - Azure CLI v2 task the "best" way to copy such images between ACR's?
It is recommended to use the AzureCLI@2 task to run the Azure CLI commands in Azure Pipelines.
For your case, if you want to run the related command (az acr import) to sync/import/copy images across subscriptions within the same Azure AD (Microsoft Entra ID), you can do like as below.
In your Azure AD:
- Create a management group and add the subscriptions into it.
- Create a service principal and assign it with the
Contributorrole at least on the subscriptions.
In your Azure DevOps project in which you run the pipeline, go to "Project Settings" > "Service connections" to create a new ARM service connection (Azure Resource Manager service connection) using the service principal.
Complete "
Step 1: Basics", give a custom name to the new ARM service connection.
At "Step 2: Service Principal Details", you can see the '
Issuer' and 'Subject identifier'. Copy their values to the service principal to create a new federated credential.
Complete "Step 2: Service Principal Details".
Scope LevelisManagement Group. Enter the ID and name of the management group. Enter the ID of the service principal and the Azure AD.
Then on the
AzureCLI@2task, you can use this new ARM service connection. By this way, the task can run the Azure CLI commands to access resources across subscriptions within the management group. Because the task will use the service principal to login on the management group level. And this also can avoid storing your login passwords/tokens as variables in the pipeline.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs