Azure Releases, ACR Artifact not authenticating when using federated identity

Question

I have been using Azure releases and I have been using a ACR docker image as an artifact input.

Recently I noticed, that when trying to update one of my existing release pipelines I am getting the error below. This is happening since I migrated the Service Connection (type: Azure Resource Manager) to federated identity (previously they were using clientID and ClientSecret). This service connection does work for sure because I am using it in many places in order to push docker images. The service principal also has Contributor rights and ACRPush Role.

Can you please help? Is this some bug or am I doing something wrong?

Failed to query service connection API: 'https://xxx.azurecr.io/v2/_catalog'. Status Code: 'Unauthorized', Response from server: '{"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information.","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]}

Answer 1

I can reproduce the issue when using workload identity federation in ARM service connection. But it works fine when using service principal with the same permissions and roles.

I notices that there is already a ticket in Developer Community reporting the same problem and has been reported to the product team. You can follow this ticket and add some comment to let the product team know the impact of the issue.

As a workaround, it's suggested that you could use service principal in ARM service connection temporarily.