azuredockerterraformazure-container-instancesazure-rm

Terraform ACI image pull with docker SSO

I'm having trouble with ratelimiting on dockerhub images and azure container instances. Our company offers a paid Docker subscription that should help, but I don't have a password, only SSO.

How can I configure that into Terraform? In the image_registry_credentials I only see server, username and password fields, nothing about using a token etc.

I have skimmed through documentation, but can't find any references. Found a solution for AKS here, but does not seem to apply.

My terraform block:

resource "azurerm_container_group" "clamav" {
  depends_on = [ azurerm_virtual_network.vnet1 ]
  name                = "ci-${var.project}-${var.env}-${var.location}-001"
  location            = var.location
  resource_group_name = var.rg
  os_type             = "Linux"
  ip_address_type     = "Private"
  // avoid docker ratelimiting issues with paid subscription credentials
  image_registry_credential {
    server = "index.docker.io"
    username = "myusername"
    password = "what here??"
  }
  // official clamav image, listens at tcp 3310 inside container group, resolvable at localhost or "clamav"
  container {
    memory = "3" // source: https://docs.clamav.net/manual/Installing/Docker.html
    cpu    = "1"
    name   = "clamav"
    image  = "clamav/clamav:1.4.2" // avoid "latest" or "stable" to lock down a supported version
  }
  // sidecar: rest api that accepts multipart file requests at :3000/api/v1/scan, and scans them with clamav
  container {
    memory = "1" 
    cpu    = "1"
    name   = "clamav-restapi"
    image  = "benzino77/clamav-rest-api:1.5.5"
    ports {
      port     = 3000
      protocol = "TCP"
    }
    environment_variables = {
      "APP_PORT" : "3000"
      "APP_FORM_KEY" : "FILES"
      "APP_MAX_FILE_SIZE" : "10485760" // 10MB
      "CLAMD_IP" : "localhost"
      "CLAMD_PORT" : "3310"
    }
  }
  subnet_ids = [azurerm_subnet.containers.id]
  tags       = local.tags
}
Solution

  • Terraform ACI image pull with docker SSO using token auth

    Continuation from the discussion from the query in general Azure Container Instances image_registry_credential block.

    But it not the case here because when Docker Hub SSO is enforced, you must generate a Personal Access Token (PAT) and use that in the password field.

    If your account uses SSO and password login is disabled, you must generate a Personal Access Token (PAT) to authenticate to DockerHub

    Refer: https://docs.docker.com/security/for-developers/access-tokens/

    To make this, follow the steps mentioned below

    Go to Docker Hub → Account Settings → Security → New Access Token → copy the token.

    Refer:

    https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/unauthorized-docker-create-access-token-dockerhub-incorrect-username-password