Error when listing Azure Registries

[khilscher]

When I click on "Registries" -> "Azure" and succesfully log in, the following error pops up, and I cannot view any of my Azure container registries.

The client '<my email>' with object id '6da91d27-c2b4-453c-959c-0d21bfff3999' does not have authorization to perform action 'Microsoft.ContainerRegistry/registries/listCredentials/action' over scope '/subscriptions/e4272367-5645-4c4e-9c67-3b74b59a6982/resourceGroups/contosoitnodeada3/providers/Microsoft.ContainerRegistry/registries/contosoitnode9fee'.

[estebanreyl]

I investigated this issue and it has to do with container registries who have admin account enabled and yet do not permit you to view the username and password for your specific account. The rest of the registries don't load because this throws a promise rejection which causes the overall set of requests to fail. I am working on a large fix to eliminate the admin enabled problem, and this particular problem, should have a pull request open by later today.

[PrashanthCorp]

Thanks for stepping into this @estebanreyl ! We really appreciate your help.
Looking forward to your PR.

[khilscher]

Thanks for the quick turnaround! Really appreciate it. Looking forward to the PR.

[StephenWeatherford]

@estebanreyl Can you also show us how to repro/test this? I assume this is a question of RBAC rights set up in Azure?

[estebanreyl]

Happy to help, as a heads up, I am almost ready to PR. Also, sorry for the delay replying. To answer @StephenWeatherford replicating the issue is a bit difficult and requires at least 2 accounts, but it goes as follows:

1. Create a new container registry and click on admin enabled in the azure portal.
2. Click on the Access Control tab for your container registry.
3. Add your second account to the container registry using the add button at the top and proceed to add this second user with a role of reader (This role has only read access so it is not allowed to request admin account credentials).
4. After this is done login to the docker extension app (using the account with reader access to the extension), make sure the subscription under which the container registry is selected is enabled and attempt to load the container registries.
5. At this point the bug will be reproduced, no container registries will be visible and an error will pop up noting an inability to obtain the particular registry your second account had no access to.

@StephenWeatherford Noting how annoying this is to do I just created a new registry called rbacextensiontest.azurecr.io and added you as a reader ideally just running the extension should make it work,

[StephenWeatherford]

Thanks! I can repro with your account.

[StephenWeatherford]

@khilscher Just wanted to let you know we've released 0.2.0. Please let us know if this does not fix your issue. Thanks!

[khilscher]

@StephenWeatherford yes that resolved it. Many thanks.

[StephenWeatherford]

Glad to hear it! Should out to @estebanreyl