docker-tools
docker-tools copied to clipboard
dotnet
ACR authentication can fail when using two different service connections for the same ACR
In the following scenario, authentication to an ACR can fail:
- You have one ACR.
- You have two different service connections that both have permission to that ACR.
- Your pipeline only has permission to one of multiple service connections to that ACR.
- The service connection your pipeline has permission to is not listed first among all of the service connections that have permission to that ACR.
An example appsettings.json that causes this error:
{
"PublishConfiguration": {
"InternalMirrorRegistry": {
"server": "registry.azurecr.io",
"repoPrefix": "prefix-a/",
...
"serviceConnection": {
"name": "ServiceConnectionA",
"id": ...
}
},
"BuildRegistry": {
"server": "registry.azurecr.io",
"repoPrefix": "prefix-b/",
...
"serviceConnection": {
"name": "ServiceConnectionB",
"id": ...
}
},
...
},
...
}
The issue is with this method, FindOwnedAcrByName:
https://github.com/dotnet/docker-tools/blob/e62aea1b93dfa8ec725af41a367d557eb8987c65/src/ImageBuilder/Configuration/ConfigurationExtensions.cs#L21-L32
The method simply returns the first service connection that matches the ACR name, even if the pipeline doesn't have permission to that service connection and it does have permission to a different service connection listed later in the publishConfig.
