0

I'm trying to deploy my Bicep modules published in an Azure Container Registry, but I'm encountering issues when using my service connection. It works fine locally with my own user account, but the service connection, which has the AcrPull role on the container registry, is failing. I'm receiving the following error:

Deploying stack [] failed. Retrying in 10 seconds... WARNING: Cannot retrieve the dynamic parameters for the cmdlet. /home/vsts/work/1/s//////*/.//.bicep/.bicep(37,13) : Error BCP192: Unable to restore the artifact with reference "br:.azurecr.io////**.bicep:20241000.30": Unhandled exception: Azure.Identity.CredentialUnavailableException: The ChainedTokenCredential failed to retrieve a token from the included credentials.

  • Please run 'az login' to set up account
  • Please run 'Connect-AzAccount' to set up account. ---> System.AggregateException: Multiple exceptions were encountered while attempting to authenticate. (Please run 'az login' to set up account) (Please run 'Connect-AzAccount' to set up account.) ---> Azure.Identity.CredentialUnavailableException: Please run 'az login' to set up account at Azure.Identity.AzureCliCredential.RequestCliAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.AzureCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at...

My pipeline job looks like this:

stages:
- stage: CD
  jobs:
    - job: Deployment
      steps:
        - checkout: self
        - checkout: governance
          fetchDepth: 2
        - task: AzurePowerShell@5
          displayName: "Deploy Deployment Stacks"
          inputs:
            azureSubscription: service-conn
            ScriptType: FilePath
            ScriptPath: $(Build.SourcesDirectory)/***/**.ps1
            ScriptArguments: -RegistryName "***"
              -Verbose
              -InformationAction 'Continue'
            FailOnStandardError: true
            errorActionPreference: stop
            azurePowerShellVersion: LatestVersion
            pwsh: true
          env:
            SYSTEM_ACCESSTOKEN: $(System.AccessToken)

And I have tried running both in my script:

Connect-AzContainerRegistry -Name $RegistryName
az acr login --name $RegistryName

What could be causing the issue? I've considered whether it needs to be an Azure CLI job to work.

Improve this question
2
  • Double-check that the service connection is properly configured with the correct Azure subscription, and that the service principal (or managed identity) can access the ACR. Commented Jan 2 at 12:26
  • Ensure that the service connection you're using in the Azure DevOps pipeline has the correct permissions. The service principal associated with the service connection must have the AcrPull role assigned to the ACR. Also, verify that it is scoped correctly to the Azure subscription and resource group where the ACR is located. Commented Jan 2 at 12:46

2 Answers 2

Reset to default
0

Pull bicep modules from ACR to consume using AzurePowershell@5 task in Azure pipeline

In order to connect to an Azure Container Registry using an Azure DevOps service connection, you can create a Docker registry service connection by selecting 'Container Registry,' as shown in the screenshots below.

Note: The account you logged into DevOps may need the Owner role

Create a Docker registry service connection

enter image description here

enter image description here

When you create a⁣Docker service connection, the AcrPush role is assigned to the⁣container registry by default. For your requirements, assign the AcrPull role to the service principal.

enter image description here

If you are still having issues with PowerShell, you can use Azure CLI instead.

    - task: AzureCLI@2
      displayName: "Deploy Deployment Stacks"
      inputs:
        azureSubscription: 'service-conn'
        scriptType: 'pscore'
        scriptLocation: 'inlineScript'
        inlineScript: |
          az bicep build --file $(Build.SourcesDirectory)/path/to/your.bicep
          az deployment sub create --template-file $(Build.SourcesDirectory)/path/to/your.bicep

You can follow the MS Doc to authenticate the Azure container registry using the Docker Registry Service Connection.

Reference: Docker Registry service connection

Build and publish to Azure Container Registry

service connection types

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I hope this helps to resolve your query.
0

i just needed to use "set-azcontext" to a random subscription, then i worked

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.