Pull bicep modules from ACR to consume using AzurePowershell@5 task in Azure pipeline

Question

I'm trying to deploy my Bicep modules published in an Azure Container Registry, but I'm encountering issues when using my service connection. It works fine locally with my own user account, but the service connection, which has the AcrPull role on the container registry, is failing. I'm receiving the following error:

Deploying stack [] failed. Retrying in 10 seconds... WARNING: Cannot retrieve the dynamic parameters for the cmdlet. /home/vsts/work/1/s//////*/.//.bicep/.bicep(37,13) : Error BCP192: Unable to restore the artifact with reference "br:.azurecr.io////**.bicep:20241000.30": Unhandled exception: Azure.Identity.CredentialUnavailableException: The ChainedTokenCredential failed to retrieve a token from the included credentials.

• Please run 'az login' to set up account
• Please run 'Connect-AzAccount' to set up account. ---> System.AggregateException: Multiple exceptions were encountered while attempting to authenticate. (Please run 'az login' to set up account) (Please run 'Connect-AzAccount' to set up account.) ---> Azure.Identity.CredentialUnavailableException: Please run 'az login' to set up account at Azure.Identity.AzureCliCredential.RequestCliAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.AzureCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at...

My pipeline job looks like this:

stages:
- stage: CD
  jobs:
    - job: Deployment
      steps:
        - checkout: self
        - checkout: governance
          fetchDepth: 2
        - task: AzurePowerShell@5
          displayName: "Deploy Deployment Stacks"
          inputs:
            azureSubscription: service-conn
            ScriptType: FilePath
            ScriptPath: $(Build.SourcesDirectory)/***/**.ps1
            ScriptArguments: -RegistryName "***"
              -Verbose
              -InformationAction 'Continue'
            FailOnStandardError: true
            errorActionPreference: stop
            azurePowerShellVersion: LatestVersion
            pwsh: true
          env:
            SYSTEM_ACCESSTOKEN: $(System.AccessToken)

And I have tried running both in my script:

Connect-AzContainerRegistry -Name $RegistryName
az acr login --name $RegistryName

What could be causing the issue? I've considered whether it needs to be an Azure CLI job to work.

Answer 1

i just needed to use "set-azcontext" to a random subscription, then i worked

Answer 2

Pull bicep modules from ACR to consume using AzurePowershell@5 task in Azure pipeline

In order to connect to an Azure Container Registry using an Azure DevOps service connection, you can create a Docker registry service connection by selecting 'Container Registry,' as shown in the screenshots below.

Note: The account you logged into DevOps may need the Owner role

Create a Docker registry service connection

When you create a⁣Docker service connection, the AcrPush role is assigned to the⁣container registry by default. For your requirements, assign the AcrPull role to the service principal.

If you are still having issues with PowerShell, you can use Azure CLI instead.

    - task: AzureCLI@2
      displayName: "Deploy Deployment Stacks"
      inputs:
        azureSubscription: 'service-conn'
        scriptType: 'pscore'
        scriptLocation: 'inlineScript'
        inlineScript: |
          az bicep build --file $(Build.SourcesDirectory)/path/to/your.bicep
          az deployment sub create --template-file $(Build.SourcesDirectory)/path/to/your.bicep

You can follow the MS Doc to authenticate the Azure container registry using the Docker Registry Service Connection.

Reference: Docker Registry service connection

Build and publish to Azure Container Registry

service connection types