Azure DevOps pipeline trouble accessing Azure Container Registry

Question

I have:

• Two Azure Container Registry (ACR) where the network public access is limited to "Selected networks".
• A service principle that has ACR push and pull permissions on the ACR above
• An Azure DevOps (ADO) pipeline where I would like to automate some work involving pulling/pushing docker images and helm chartrs from one ACR to the other

I'm having trouble connecting to the ACR via my ADO pipeline. I can successfully log into azure using my SP credentials but when I try to connect to the ACR, I get the following error message:

WARNING: Unable to get AAD authorization tokens with message: 2024-01-11 21:17:28.985558 An error occurred: CONNECTIVITY_REFRESH_TOKEN_ERROR Access to registry 'myACR.azurecr.io' was denied. Response code: 403. Please try running 'az login' again to refresh permissions. WARNING: Unable to get admin user credentials with message: The resource with name 'myACR' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription 'mySUBSCRIPTION (myGUI)'. ERROR: Unable to authenticate using AAD or admin login credentials. Please specify both username and password in non-interactive mode.

I've gone thru multiple iterations of the code and am now at using a Bash@3 task like so.

- task: Bash@3
  displayName: 'Azure CLI Login'
  inputs:
    targetType: 'inline'
    script: |
      az login --service-principal -u $(sp_app_id) -p $(sp_password) --tenant $(sp_tenant)
      az acr login -n myACR.azurecr.io

The login is successful because I see my subscriptions as output in the pipeline. When I try the same code via my machine, I can successfully log into my ACR so this is not an issue with the SPs permissions.

I suspect that my issue is related to the ACRs network restrictions but I'm at a loss as to how to fix it. I've started looking into the trusted services feature to overcome the network restrictions and "Allow trusted services" is checked on in the configs. I'm not sure if using a managed identity instead of the SP would help. Am I barking up the wrong tree here?

Is there a way for me to connect to my ACR via ADO pipelines despite these limitations?

Answer 1

I have converted your task from using Bash@3 to using AzureCLI@2 which uses a service connection for authentication instead of a service principal, and this has worked for me in my test:

You will need to configure your service connection to have the appropriate permissions to access your desired resources.

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: $(serviceConnection)
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: >
      az acr login -n $(acrName)

If unaware about service connections, please refer to the Microsoft documentation here.