Describe the bug
When working with an ACR and Storage Account secured with Private Endpoints on the same VNET, az acr pipeline run create fails with:
"Failed to access storage. Service request failed. Status: 403 (This request is not authorized to perform this operation)"
If I change networking on the Storage Account from "disabled" to "Enabled from all networks" it works as expected. It pulls the Sas secret from KeyVault fine over Private Endpoints just not the Storage Account.
Related command
az acr pipeline run create
Errors
"Failed to access storage. Service request failed. Status: 403 (This request is not authorized to perform this operation)"
Issue script & Debug output
cli.knack.cli: Command arguments: ['acr', 'pipeline-run', 'create', '--resource-group', 'User1-private-link-env', '--registry', 'User1acrpe', '--pipeline', 'pipelinepe', '--name', 'exportRunPe10', '--pipeline-type', 'export', '--storage-blob', 'chunky-app.tar', '--artifacts', 'dotnet/sdk:8.0.407', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0214F988>, <function OutputProducer.on_global_arguments at 0x02479A78>, <function CLIQuery.on_global_arguments at 0x0249B848>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'acr': ['azure.cli.command_modules.acr', 'azext_acrtransfer']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: acr 0.192 36 149
cli.azure.cli.core: Total (1) 0.192 36 149
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: acrtransfer 0.005 4 13 C:\Users\User1.azure\cliextensions\acrtransfer
cli.azure.cli.core: Total (1) 0.005 4 13
cli.azure.cli.core: Loaded 39 groups, 162 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : acr pipeline-run create
cli.azure.cli.core: Command table: acr pipeline-run create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0498B168>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\User1.azure\commands\2025-04-29.15-12-00.acr_pipeline-run_create.22028.log'.
az_command_data_logger: command args: acr pipeline-run create --resource-group {} --registry {} --pipeline {} --name {} --pipeline-type {} --storage-blob {} --artifacts {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x049BC398>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x049BC488>, <function register_cache_arguments..add_cache_arguments at 0x049CC668>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02479AC8>, <function CLIQuery.handle_query_parameter at 0x0249B898>, <function register_ids_argument..parse_ids_arguments at 0x049CC618>]
az_command_data_logger: extension name: acrtransfer
az_command_data_logger: extension version: 1.1.0
Command group 'acr pipeline-run' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ContainerRegistryManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\User1\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\User1.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10
msal.authority: openid_config("https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.us/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/kerberos', 'tenant_region_scope': 'USGov', 'tenant_region_sub_scope': 'DODCON', 'cloud_instance_name': 'microsoftonline.us', 'cloud_graph_host_name': 'graph.microsoftazure.us', 'msgraph_host': 'graph.microsoft.us', 'rbac_url': 'https://pasff.usgovcloudapi.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.usgovcloudapi.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.usgovcloudapi.net//.default',), claims=None, kwargs={}
msal.broker: [MSAL:0001] INFO LogTelemetryData:383 Printing Telemetry for Correlation ID: 9794665b-0b05-4208-a128-a6a21664b629
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: start_time, Value: 2025-04-29T19:12:00.000Z
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: api_name, Value: ReadAccountById
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: was_request_throttled, Value: false
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: request_duration, Value: 0
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: authority_type, Value: Unknown
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: correlation_id, Value: 9794665b-0b05-4208-a128-a6a21664b629
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: broker_app_used, Value: false
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: stop_time, Value: 2025-04-29T19:12:00.000Z
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: msalruntime_version, Value: 0.14.2-alpha1
msal.broker: [MSAL:0001] INFO LogTelemetryData:391 Key: is_successful, Value: true
msal.broker: [MSAL:0002] WARNING SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10' without authority type, defaulting to MsSts
msal.broker: [MSAL:0002] INFO SetCorrelationId:273 Set correlation ID: 9794665b-0b05-4208-a128-a6a21664b629
msal.broker: [MSAL:0002] INFO EnqueueBackgroundRequest:952 The original authority is 'https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:215 Authority Realm: 03f141f3-496d-4319-bbea-a3e9286cab10
msal.broker: [MSAL:0003] INFO StorageTokenResponse:84 StorageTokenResponse account constructor invoked. This is only expected in Runtime flows
msal.broker: [MSAL:0003] INFO IsAccessTokenValid:2533 The access token is expired
msal.broker: [MSAL:0003] WARNING StorageTokenResponse:15 No credentials found in the cache
msal.broker: [MSAL:0003] INFO LogTelemetryData:383 Printing Telemetry for Correlation ID: 9794665b-0b05-4208-a128-a6a21664b629
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: start_time, Value: 2025-04-29T19:12:00.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: api_name, Value: AcquireTokenSilently
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: was_request_throttled, Value: false
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: request_duration, Value: 839
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: authority_type, Value: AAD
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: access_token_expiry_time, Value: 2025-04-29T20:11:59.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: read_token, Value: ID|EAT
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: client_id, Value: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: correlation_id, Value: 9794665b-0b05-4208-a128-a6a21664b629
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: broker_app_used, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: stop_time, Value: 2025-04-29T19:12:01.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: msalruntime_version, Value: 0.14.2-alpha1
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: original_authority, Value: https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: additional_query_parameters_count, Value: 0
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: storage_read, Value: DAC|DAT|DID|DAMD|DAC|DAC
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: delete_token, Value: AT
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: storage_delete, Value: DAT
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: is_successful, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: request_eligible_for_broker, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: wam_telemetry, Value: {"x_ms_clitelem":"1,0,0,3660684.8837,","ui_visible":false,"tenant_id":"03f141f3-496d-4319-bbea-a3e9286cab10","scope":"https://management.core.usgovcloudapi.net//.default offline_access openid profile","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46","provider_id":"https://login.windows.net","http_status":200,"http_event_count":1,"http_content_type":"application/jose; charset=utf-8","http_content_size":9763,"device_join":"aadj","correlation_id":"{9794665b-0b05-4208-a128-a6a21664b629}","client_id":"04b07795-8ddb-461a-bbee-02f9e1bf7b46","cache_event_count":0,"broker_version":"10.0.22621.4830","authority":"https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10","api_error_code":0,"account_join_on_start":"secondary","account_join_on_end":"secondary","account_id":"2baf2791-1b1d-44cc-85e2-a866ef83c1e1","silent_code":0,"silent_bi_sub_code":0,"silent_message":"","silent_status":0,"is_cached":0}
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: auth_flow, Value: Broker
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: tenant_id, Value: 03f141f3-496d-4319-bbea-a3e9286cab10
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: storage_write, Value: DAT|DID|DAC
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: write_token, Value: AT|ID
msal.broker: [MSAL:0003] INFO LogTelemetryData:391 Key: authorization_type, Value: WindowsIntegratedAuth
msal.broker: [MSAL:0003] INFO LogTelemetryData:396 Printing Execution Flow:
msal.broker: [MSAL:0003] INFO LogTelemetryData:404 {"t":"4s7uc","tid":2,"ts":0,"l":2},{"t":"4sufd","tid":2,"ts":0,"s":2,"l":2},{"t":"4swgg","tid":2,"ts":0,"s":1,"l":2},{"t":"4swgf","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":1,"s":1,"l":2},{"t":"8b2yn","tid":3,"ts":1,"l":2},{"t":"8dqkx","tid":3,"ts":1,"l":2},{"t":"8dqik","tid":3,"ts":1,"l":2},{"t":"4q2di","tid":3,"ts":1,"l":2},{"t":"4qnng","tid":3,"ts":1,"l":2,"a":2,"ie":0},{"t":"4qnnf","tid":3,"ts":2,"l":2,"a":2,"ie":1},{"t":"8dqit","tid":3,"ts":2,"l":2},{"t":"8b2ht","tid":3,"ts":2,"l":2},{"t":"4qnno","tid":3,"ts":2,"l":2,"a":2,"ie":0},{"t":"4qnnn","tid":3,"ts":17,"l":2,"a":2,"ie":1},{"t":"4qnnk","tid":3,"ts":18,"l":2,"a":3,"ie":0},{"t":"4qnnj","tid":3,"ts":20,"l":2,"a":4,"ie":1},{"t":"4qwi1","tid":3,"ts":20,"l":2},{"t":"4qnna","tid":3,"ts":20,"l":2,"a":2,"ie":0},{"t":"4qnm9","tid":3,"ts":20,"l":2,"a":2,"ie":1},{"t":"8dqin","tid":3,"ts":20,"l":2},{"t":"4qnno","tid":3,"ts":20,"l":2,"a":2,"ie":0},{"t":"4qnnn","tid":3,"ts":20,"l":2,"a":2,"ie":1},{"t":"8b2hu","tid":3,"ts":21,"l":2},{"t":"5b8fg","tid":3,"ts":24,"l":2},{"t":"8dqk0","tid":3,"ts":24,"l":2},{"t":"4qnng","tid":3,"ts":24,"l":2,"a":2,"ie":0},{"t":"4qnnf","tid":3,"ts":24,"l":2,"a":2,"ie":1},{"t":"694nj","tid":3,"ts":24,"l":2,"a":10,"ie":0},{"t":"4vw1f","tid":3,"ts":24,"l":2},{"t":"4wqnh","tid":3,"ts":24,"l":2},{"t":"4vw1c","tid":3,"ts":34,"l":2},{"t":"4vw1b","tid":3,"ts":34,"l":2},{"t":"4wqnk","tid":3,"ts":34,"l":2},{"t":"6omfm","tid":3,"ts":40,"l":2},{"t":"4vw1a","tid":3,"ts":40,"l":2},{"t":"4wqnf","tid":3,"ts":40,"l":2},{"t":"4wqm5","tid":3,"ts":48,"l":2},{"t":"4wqm6","tid":3,"ts":48,"l":2},{"t":"4u9jc","tid":3,"ts":819,"l":2},{"t":"8dql1","tid":3,"ts":819,"l":2},{"t":"4qopb","tid":3,"ts":819,"l":2},{"t":"58yep","tid":3,"ts":819,"l":2},{"t":"694nk","tid":3,"ts":819,"l":2,"a":10,"ie":1},{"t":"8dqk1","tid":3,"ts":819,"l":2},{"t":"8dqlh","tid":3,"ts":819,"l":2},{"t":"8dqli","tid":3,"ts":819,"l":2},{"t":"8dqln","tid":3,"ts":819,"l":2},{"t":"4qnnm","tid":3,"ts":819,"l":2,"a":3,"ie":0},{"t":"4qnnl","tid":3,"ts":829,"l":2,"a":3,"ie":1},{"t":"4zbmt","tid":3,"ts":829,"l":2},{"t":"4zbmu","tid":3,"ts":829,"l":2},{"t":"4qnng","tid":3,"ts":829,"l":2,"a":2,"ie":0},{"t":"4qnnf","tid":3,"ts":830,"l":2,"a":2,"ie":1},{"t":"4qnne","tid":3,"ts":830,"l":2,"a":3,"ie":0},{"t":"4qnnd","tid":3,"ts":831,"l":2,"a":3,"ie":1},{"t":"6xuag","tid":3,"ts":839,"l":2}
msal.token_cache: event={
"_account_id": "2baf2791-1b1d-44cc-85e2-a866ef83c1e1",
"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"data": {},
"environment": "login.microsoftonline.us",
"grant_type": "broker",
"response": {
"_account_id": "2baf2791-1b1d-44cc-85e2-a866ef83c1e1",
"_msalruntime_telemetry": {
"access_token_expiry_time": "2025-04-29T20:11:59.000Z",
"additional_query_parameters_count": "0",
"api_name": "AcquireTokenSilently",
"auth_flow": "Broker",
"authority_type": "AAD",
"authorization_type": "WindowsIntegratedAuth",
"broker_app_used": "true",
"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"correlation_id": "9794665b-0b05-4208-a128-a6a21664b629",
"delete_token": "AT",
"is_successful": "true",
"msal_version": "1.1.0+local",
"msalruntime_version": "0.14.2-alpha1",
"original_authority": "https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10",
"read_token": "ID|EAT",
"request_duration": "839",
"request_eligible_for_broker": "true",
"start_time": "2025-04-29T19:12:00.000Z",
"stop_time": "2025-04-29T19:12:01.000Z",
"storage_delete": "DAT",
"storage_read": "DAC|DAT|DID|DAMD|DAC|DAC",
"storage_write": "DAT|DID|DAC",
"tenant_id": "03f141f3-496d-4319-bbea-a3e9286cab10",
"was_request_throttled": "false",
"write_token": "AT|ID"
},
"access_token": "",
"client_info": "eyJ1aWQiOiIyYmFmMjc5MS0xYjFkLTQ0Y2MtODVlMi1hODY2ZWY4M2MxZTEiLCJ1dGlkIjoiMDNmMTQxZjMtNDk2ZC00MzE5LWJiZWEtYTNlOTI4NmNhYjEwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRhbXJ1ZEBGZWRBSVJTLm9ubWljcm9zb2Z0LnVzIn0",
"expires_in": 3598,
"id_token": "",
"id_token_claims": "",
"scope": "https://management.core.usgovcloudapi.net//user_impersonation https://management.core.usgovcloudapi.net//.default",
"token_type": "bearer"
},
"scope": [
"https://management.core.usgovcloudapi.net//user_impersonation",
"https://management.core.usgovcloudapi.net//.default"
],
"token_endpoint": "https://login.microsoftonline.us/03f141f3-496d-4319-bbea-a3e9286cab10/oauth2/v2.0/token"
}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.usgovcloudapi.net/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/exportPipelines/pipelinepe?api-version=2019-12-01-preview'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd37e727a-252d-11f0-832c-7c1e52021030'
cli.azure.cli.core.sdk.policies: 'CommandName': 'acr pipeline-run create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --registry --pipeline --name --pipeline-type --storage-blob --artifacts --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.61.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.22631-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.usgovcloudapi.net:443
urllib3.connectionpool: https://management.usgovcloudapi.net:443 "GET /subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/exportPipelines/pipelinepe?api-version=2019-12-01-preview HTTP/1.1" 200 902
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '902'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'api-supported-versions': '2019-12-01-preview, 2020-11-01-preview, 2021-06-01-preview, 2021-08-01-preview, 2021-12-01-preview, 2022-02-01-preview, 2023-01-01-preview, 2023-06-01-preview, 2023-08-01-preview, 2023-11-01-preview, 2024-01-01-preview, 2024-11-01-preview, 2025-03-01-preview'
cli.azure.cli.core.sdk.policies: 'Server': 'Kestrel'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=03f141f3-496d-4319-bbea-a3e9286cab10,objectId=2baf2791-1b1d-44cc-85e2-a866ef83c1e1/usdodeast/e3d4c099-2f1a-41e9-9b5d-666c21553c56'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '14994'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '49a26ea7-1077-4cd3-ac4b-f5b4b00af762'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '49a26ea7-1077-4cd3-ac4b-f5b4b00af762'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'USDODEAST:20250429T191201Z:49a26ea7-1077-4cd3-ac4b-f5b4b00af762'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 29 Apr 2025 19:12:00 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"type":"Microsoft.ContainerRegistry/registries/exportPipelines","identity":{"principalId":"4317b3fd-2081-47d0-b119-ecedbc958b52","tenantId":"03f141f3-496d-4319-bbea-a3e9286cab10","type":"systemAssigned"},"id":"/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/exportPipelines/pipelinepe","name":"pipelinepe","systemData":{"createdBy":"","createdByType":"User","createdAt":"2025-04-29T12:46:51.5957743+00:00","lastModifiedBy":"","lastModifiedByType":"User","lastModifiedAt":"2025-04-29T12:46:51.5957743+00:00"},"properties":{"target":{"type":"AzureStorageBlobContainer","uri":"https://User1pestorage.blob.core.usgovcloudapi.net/share","keyVaultUri":"https://d2-kv.vault.usgovcloudapi.net/secrets/pipelinesaspe"},"provisioningState":"Succeeded"}}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.usgovcloudapi.net/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/pipelineRuns/exportRunPe10?api-version=2019-12-01-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '332'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd37e727a-252d-11f0-832c-7c1e52021030'
cli.azure.cli.core.sdk.policies: 'CommandName': 'acr pipeline-run create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --registry --pipeline --name --pipeline-type --storage-blob --artifacts --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.61.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.22631-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '**'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"request": {"pipelineResourceId": "/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/exportPipelines/pipelinepe", "artifacts": ["dotnet/sdk:8.0.407"], "target": {"type": "AzureStorageBlob", "name": "chunky-app.tar"}}}}
urllib3.connectionpool: https://management.usgovcloudapi.net:443 "PUT /subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/pipelineRuns/exportRunPe10?api-version=2019-12-01-preview HTTP/1.1" 200 1628
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '1628'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'api-supported-versions': '2019-12-01-preview, 2020-11-01-preview, 2021-06-01-preview, 2021-08-01-preview, 2021-12-01-preview, 2022-02-01-preview, 2023-01-01-preview, 2023-06-01-preview, 2023-08-01-preview, 2023-11-01-preview, 2024-01-01-preview, 2024-11-01-preview, 2025-03-01-preview'
cli.azure.cli.core.sdk.policies: 'Server': 'Kestrel'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=03f141f3-496d-4319-bbea-a3e9286cab10,objectId=2baf2791-1b1d-44cc-85e2-a866ef83c1e1/usdodeast/85e7c557-56f7-4900-802f-1e2691eb95de'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1197'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '8d5640dd-2da7-4444-a343-16737c9d17cc'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '8d5640dd-2da7-4444-a343-16737c9d17cc'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'USDODEAST:20250429T191201Z:8d5640dd-2da7-4444-a343-16737c9d17cc'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 29 Apr 2025 19:12:00 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"type":"Microsoft.ContainerRegistry/registries/pipelineRuns","properties":{"provisioningState":"Failed","request":{"pipelineResourceId":"/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/exportPipelines/pipelinepe","artifacts":["dotnet/sdk:8.0.407"],"source":{},"target":{"type":"AzureStorageBlob","name":"chunky-app.tar"}},"response":{"status":"Failed","progress":{},"startTime":"2025-04-29T17:20:52.9602261+00:00","finishTime":"2025-04-29T17:20:53.6143122+00:00","trigger":{"sourceTrigger":{}},"pipelineRunErrorMessage":"ExportPipeline 'pipelinepe', Run 'exportRunPe10': Failed to access storage. Service request failed.\nStatus: 403 (This request is not authorized to perform this operation.)\nErrorCode: AuthorizationFailure\n\nHeaders:\nTransfer-Encoding: chunked\nServer: Microsoft-HTTPAPI/2.0\nx-ms-request-id: 9b9985c0-e01e-007b-0f2b-b9bd5b000000\nx-ms-client-request-id: 78f332b4-2e8d-4487-9f3a-b3b054e581c7\nx-ms-error-code: AuthorizationFailure\nDate: Tue, 29 Apr 2025 17:20:53 GMT\n For more information, please visit https://aka.ms/acr/transfer."}},"id":"/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/pipelineRuns/exportRunPe10","name":"exportRunPe10","systemData":{"createdBy":"","createdByType":"User","createdAt":"2025-04-29T17:20:52.9258985+00:00","lastModifiedBy":"","lastModifiedByType":"User","lastModifiedAt":"2025-04-29T17:20:52.9258985+00:00"}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x049B5B68>, <function x509_from_base64_to_hex_transform at 0x049B5BB8>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"forceUpdateTag": null,
"id": "/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/pipelineRuns/exportRunPe10",
"name": "exportRunPe10",
"provisioningState": "Failed",
"request": {
"artifacts": [
"dotnet/sdk:8.0.407"
],
"catalogDigest": null,
"pipelineResourceId": "/subscriptions/c7e4423a-e570-4786-928d-787dc160b027/resourceGroups/User1-private-link-env/providers/Microsoft.ContainerRegistry/registries/User1acrpe/exportPipelines/pipelinepe",
"source": {
"name": null,
"type": null
},
"target": {
"name": "chunky-app.tar",
"type": "AzureStorageBlob"
}
},
"resourceGroup": "User1-private-link-env",
"response": {
"catalogDigest": null,
"finishTime": "2025-04-29T17:20:53.614312+00:00",
"importedArtifacts": null,
"pipelineRunErrorMessage": "ExportPipeline 'pipelinepe', Run 'exportRunPe10': Failed to access storage. Service request failed.\nStatus: 403 (This request is not authorized to perform this operation.)\nErrorCode: AuthorizationFailure\n\nHeaders:\nTransfer-Encoding: chunked\nServer: Microsoft-HTTPAPI/2.0\nx-ms-request-id: 9b9985c0-e01e-007b-0f2b-b9bd5b000000\nx-ms-client-request-id: 78f332b4-2e8d-4487-9f3a-b3b054e581c7\nx-ms-error-code: AuthorizationFailure\nDate: Tue, 29 Apr 2025 17:20:53 GMT\n For more information, please visit https://aka.ms/acr/transfer.",
"progress": {
"percentage": null
},
"source": null,
"startTime": "2025-04-29T17:20:52.960226+00:00",
"status": "Failed",
"target": null,
"trigger": {
"sourceTrigger": {
"timestamp": null
}
}
},
"systemData": {
"createdAt": "2025-04-29T17:20:52.9258985+00:00",
"createdBy": "",
"createdByType": "User",
"lastModifiedAt": "2025-04-29T17:20:52.9258985+00:00",
"lastModifiedBy": "",
"lastModifiedByType": "User"
},
"type": "Microsoft.ContainerRegistry/registries/pipelineRuns"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0498B2A8>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.167 seconds (init: 0.416, invoke: 1.751)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4971 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\User1.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
The command would work with a storage account and acr that leverage Private Endpoints or provide Ip's to whitelist. (or provide documentation noting it will not work)
Environment Summary
azure-cli 2.61.0 *
core 2.61.0 *
telemetry 1.1.0
Extensions:
acrtransfer 1.1.0
application-insights 1.2.3
resource-graph 2.1.0
Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\User1.azure\cliextensions'
Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 21:52:07) [MSC v.1937 32 bit (Intel)]
Additional context
Tested in Azure Government
azure-cli-extensions copied to clipboard
Azure
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
