Public anonymous registry not working in Azure Pipeline

[Agazoth]

Bicep version
0.4.1310

Describe the bug
We have a setup with a bicep registry that has anonymous access allowed. When building templates locally, the registry can be accessed from unauthenticated PowerShell sessions in both Windows and WSL Ubuntu. PowerShell versions:

PSVersion                      7.2.1
PSEdition                      Core
GitCommitId                    7.2.1
OS                             Microsoft Windows 10.0.22000
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

PSVersion                      7.2.0
PSEdition                      Core
GitCommitId                    7.2.0
OS                             Linux 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

The bicepconfig.json is placed in the same folder as the main.bicep file.

Running the same build from a ubuntu-latest machine in an Azure DevOps pipeline generates this error:

/home/vsts/work/1/s/main.bicep(9,11) : Error BCP192: Unable to restore the module with reference "br:ateabicepcr.azurecr.io/p/storageaccount:1.1": Unhandled exception: Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)

Content:
{"errors":[{"code":"DENIED","message":"retrieving permissions failed"}]}

Headers:
Server: openresty
Date: Mon, 14 Mar 2022 07:14:56 GMT
Connection: keep-alive
X-Ms-Correlation-Request-Id: b818a15e-e823-4cf2-b7ed-8e967b12c9cb
x-ms-ratelimit-remaining-calls-per-second: 166.65
Strict-Transport-Security: REDACTED
Content-Type: application/json
Content-Length: 72

   at Azure.Containers.ContainerRegistry.AuthenticationRestClient.ExchangeAadAccessTokenForAcrRefreshTokenAsync(String service, String accessToken, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetRefreshTokenFromCredentialAsync(TokenRequestContext context, String service, Boolean async, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryChallengeAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRestClient.GetManifestAsync(String name, String reference, String accept, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.Specialized.ContainerRegistryBlobClient.DownloadManifestAsync(DownloadManifestOptions options, CancellationToken cancellationToken)
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAsync(OciArtifactModuleReference moduleReference, ContainerRegistryBlobClient client)
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, OciArtifactModuleReference moduleReference)
   at Bicep.Core.Registry.OciModuleRegistry.TryPullArtifactAsync(RootConfiguration configuration, OciArtifactModuleReference reference)

To Reproduce
main.bicep

param location string = 'westeurope'
targetScope = 'subscription'

resource rg 'Microsoft.Resources/resourceGroups@2020-10-01' = {
  name: 'rg-branon-t'
  location: location
}

module st 'br/atea:storageaccount:1.1' = {
  name: 'DeploystorageAccount'
  scope: rg
  params: {
    storageAccountName: 'sabranonrand777'
    location: location
    skuName: 'Standard_LRS'
    allowBlobPublicAccess: false
    isHnsEnabled: false
    stkind: 'StorageV2'
  }
}

bicepconfig.json

{
  "cloud": {
    "currentProfile": "AzureCloud",
    "credentialPrecedence": [
      "AzurePowerShell"
    ]
  },
  "moduleAliases": {
    "ts": {},
    "br": {
      "atea": {
        "registry": "ateabicepcr.azurecr.io",
        "modulePath": "p"
      }
    }
  },
  "analyzers": {}
}

pipeline.yaml

parameters:
  - name: serviceconnection
    type: string
    default: branon

stages:
  - stage: Bicep_Build
    displayName: Test Bicep Build
    pool:
      vmAgentImage: "ubuntu-latest"
    jobs:
      - job: TestBicepBuild
        steps:
          - pwsh: |
              curl -Lo bicep "https://storateamsppublic.blob.core.windows.net/templates/bicep/0.4.1310/bicep"
              chmod +x ./bicep
              sudo mv ./bicep /usr/local/bin/bicep
              bicep -v
            displayName: "Install Bicep"
          - task: AzurePowerShell@5
            displayName: "Testing Bicep Anonymous Build"
            name: build_template
            inputs:
              azureSubscription: ${{parameters.serviceconnection}}
              ScriptType: InlineScript
              Inline: |
                $env:BICEP_REGISTRY_ENABLED_EXPERIMENTAL = $true
                "Experimental feature is: {0}" -f $env:BICEP_REGISTRY_ENABLED_EXPERIMENTAL
                ls /home/
                bicep build main.bicep
              azurePowerShellVersion: "latestVersion"
              pwsh: true

Additional context
Just update the serviceconnection to target your own environment

[alex-frankel]

Can you output the version of bicep that is running in the pipeline? I'm not sure if the agent has another version of bicep pre-installed that is conflicting.

[Agazoth]

Sorry about that. That is 0.4.1310 too.

[majastrz]

Can you upgrade to the latest public release of Bicep and confirm it's still happening?

[Agazoth]

Results using the pipeline above replacing line 13 with curl -Lo bicep "https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64"

[Agazoth]

Anything else I can add to make this clearer @majastrz ?

[Agazoth]

@majastrz this is PSVersionTAble and Az.Accounts version from the ubuntu-latest machine in the DevOps pipeline:

Name                           Value
----                           -----
PSVersion                      7.2.1
PSEdition                      Core
GitCommitId                    7.2.1
OS                             Linux 5.11.0-1028-azure #31~20.04.2-Ubuntu SMP …
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Name              : Az.Accounts
Path              : /usr/share/az_7.1.0/Az.Accounts/2.7.2/Az.Accounts.psd1
Description       : Microsoft Azure PowerShell - Accounts credential management
                     cmdlets for Azure Resource Manager in Windows PowerShell a
                    nd PowerShell Core.
                    
                    For more information on account credential management, plea
                    se visit the following: https://docs.microsoft.com/powershe
                    ll/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 2.7.2
ModuleBase        : /usr/share/az_7.1.0/Az.Accounts/2.7.2
ModuleType        : Script
PrivateData       : {PSData}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Login-AzAccount, Login-Az
                    Account], [Remove-AzAccount, Remove-AzAccount], [Logout-AzA
                    ccount, Logout-AzAccount]…}
ExportedCmdlets   : {[Disable-AzDataCollection, Disable-AzDataCollection], [Dis
                    able-AzContextAutosave, Disable-AzContextAutosave], [Enable
                    -AzDataCollection, Enable-AzDataCollection], [Enable-AzCont
                    extAutosave, Enable-AzContextAutosave]…}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {}

[slapointe]

Hi @Agazoth, have you tested it again lately? It works for me with your pipeline logic and your 2 files, main.bicep & bicepconfig.json. I only added a few debug statements & a publish artifact step.

parameters:
  - name: serviceconnection
    type: string
    default: AzureSponsorship

stages:
  - stage: Bicep_Build
    displayName: Test Bicep Build
    pool:
      vmAgentImage: "ubuntu-latest"
    jobs:
      - job: TestBicepBuild
        steps:
          - pwsh: |
              curl -Lo bicep "https://storateamsppublic.blob.core.windows.net/templates/bicep/0.4.1310/bicep"
              chmod +x ./bicep
              sudo mv ./bicep /usr/local/bin/bicep
              bicep -v
            displayName: "Install Bicep"
          - task: AzurePowerShell@5
            displayName: "Testing Bicep Anonymous Build"
            name: build_template
            inputs:
              azureSubscription: ${{parameters.serviceconnection}}
              ScriptType: InlineScript
              Inline: |
                $env:BICEP_REGISTRY_ENABLED_EXPERIMENTAL = $true
                "Experimental feature is: {0}" -f $env:BICEP_REGISTRY_ENABLED_EXPERIMENTAL
                Write-output 'Before'
                Get-Location
                ls
                bicep build main.bicep
                Write-output 'After'
                ls
                Write-output 'Builded JSON file:'
                Get-Content -LiteralPath 'main.json' -Raw
              azurePowerShellVersion: "latestVersion"
              pwsh: true
          - task: PublishBuildArtifacts@1
            inputs:
              PathtoPublish: '$(Build.SourcesDirectory)'
              ArtifactName: 'drop'
              publishLocation: 'Container'            

Here are my raw logs for the Initialize job step:

2022-03-23T21:24:58.6514635Z ##[section]Starting: Initialize job
2022-03-23T21:24:58.6516261Z Agent name: 'Hosted Agent'
2022-03-23T21:24:58.6517164Z Agent machine name: 'fv-az234-867'
2022-03-23T21:24:58.6517590Z Current agent version: '2.200.2'
2022-03-23T21:24:58.6562057Z ##[group]Operating System
2022-03-23T21:24:58.6562310Z Ubuntu
2022-03-23T21:24:58.6562476Z 20.04.4
2022-03-23T21:24:58.6562609Z LTS
2022-03-23T21:24:58.6562932Z ##[endgroup]
2022-03-23T21:24:58.6563133Z ##[group]Virtual Environment
2022-03-23T21:24:58.6563357Z Environment: ubuntu-20.04
2022-03-23T21:24:58.6563747Z Version: 20220227.1
2022-03-23T21:24:58.6564161Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220227.1/images/linux/Ubuntu2004-Readme.md
2022-03-23T21:24:58.6564696Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220227.1
2022-03-23T21:24:58.6565038Z ##[endgroup]
2022-03-23T21:24:58.6565251Z ##[group]Virtual Environment Provisioner
2022-03-23T21:24:58.6565659Z 1.0.0.0-main-20220307-1
2022-03-23T21:24:58.6565885Z ##[endgroup]
2022-03-23T21:24:58.6567335Z Current image version: '20220227.1'
2022-03-23T21:24:58.6569500Z Agent running as: 'vsts'
2022-03-23T21:24:58.6632431Z Prepare build directory.
2022-03-23T21:24:58.6950929Z Set build variables.
2022-03-23T21:24:58.6988182Z Download all required tasks.
2022-03-23T21:24:58.7118572Z Downloading task: PowerShell (2.200.0)
2022-03-23T21:24:59.8042084Z Downloading task: AzurePowerShell (5.198.0)
2022-03-23T21:25:00.8900820Z Downloading task: PublishBuildArtifacts (1.200.0)
2022-03-23T21:25:01.1385481Z Checking job knob settings.
2022-03-23T21:25:01.1395244Z    Knob: AgentToolsDirectory = /opt/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY} 
2022-03-23T21:25:01.1396807Z    Knob: AgentPerflog = /home/vsts/perflog Source: ${VSTS_AGENT_PERFLOG} 
2022-03-23T21:25:01.1399624Z Finished checking job knob settings.
2022-03-23T21:25:01.1803936Z Start tracking orphan processes.
2022-03-23T21:25:01.2027793Z ##[section]Finishing: Initialize job

InstallBicep step

2022-03-23T21:25:03.5189850Z ##[section]Starting: Install Bicep
2022-03-23T21:25:03.5199820Z ==============================================================================
2022-03-23T21:25:03.5200186Z Task         : PowerShell
2022-03-23T21:25:03.5200484Z Description  : Run a PowerShell script on Linux, macOS, or Windows
2022-03-23T21:25:03.5200751Z Version      : 2.200.0
2022-03-23T21:25:03.5200967Z Author       : Microsoft Corporation
2022-03-23T21:25:03.5201382Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2022-03-23T21:25:03.5201784Z ==============================================================================
2022-03-23T21:25:03.9078510Z Generating script.
2022-03-23T21:25:03.9115409Z ========================== Starting Command Output ===========================
2022-03-23T21:25:03.9142701Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command . '/home/vsts/work/_temp/eb3b27d7-76b1-488c-9795-9390da7af563.ps1'
2022-03-23T21:25:04.5454852Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2022-03-23T21:25:04.5456162Z                                  Dload  Upload   Total   Spent    Left  Speed
2022-03-23T21:25:04.5456369Z 
2022-03-23T21:25:05.0058144Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2022-03-23T21:25:05.9771152Z   0 32.2M    0 15961    0     0  34622      0  0:16:16 --:--:--  0:16:16 34547
2022-03-23T21:25:06.9475250Z   4 32.2M    4 1519k    0     0  1061k      0  0:00:31  0:00:01  0:00:30 1060k
2022-03-23T21:25:07.9686562Z  37 32.2M   37 12.0M    0     0  5120k      0  0:00:06  0:00:02  0:00:04 5118k
2022-03-23T21:25:07.9697286Z  99 32.2M   99 32.0M    0     0  9574k      0  0:00:03  0:00:03 --:--:-- 9571k
2022-03-23T21:25:07.9699772Z 100 32.2M  100 32.2M    0     0  9635k      0  0:00:03  0:00:03 --:--:-- 9632k
2022-03-23T21:25:09.3257651Z Bicep CLI version 0.4.1310 (78eca78aaf)
2022-03-23T21:25:09.6901444Z ##[section]Finishing: Install Bicep

Az.Accounts is 2.7.2 as you can see below:
Import-Module -Name /usr/share/az_7.1.0/Az.Accounts/2.7.2/Az.Accounts.psd1 -Global

[Agazoth]

Hi @slapointe,

I am now running your pipeline. My Initialize step looks like this:

2022-03-24T06:19:15.3452581Z ##[section]Starting: Initialize job
2022-03-24T06:19:15.3453795Z Agent name: 'Hosted Agent'
2022-03-24T06:19:15.3454214Z Agent machine name: 'fv-az302-918'
2022-03-24T06:19:15.3454415Z Current agent version: '2.200.2'
2022-03-24T06:19:15.3489951Z ##[group]Operating System
2022-03-24T06:19:15.3490207Z Ubuntu
2022-03-24T06:19:15.3490328Z 20.04.4
2022-03-24T06:19:15.3490443Z LTS
2022-03-24T06:19:15.3490575Z ##[endgroup]
2022-03-24T06:19:15.3490728Z ##[group]Virtual Environment
2022-03-24T06:19:15.3490908Z Environment: ubuntu-20.04
2022-03-24T06:19:15.3491089Z Version: 20220227.1
2022-03-24T06:19:15.3491394Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220227.1/images/linux/Ubuntu2004-Readme.md
2022-03-24T06:19:15.3491821Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220227.1
2022-03-24T06:19:15.3492065Z ##[endgroup]
2022-03-24T06:19:15.3492234Z ##[group]Virtual Environment Provisioner
2022-03-24T06:19:15.3492559Z 1.0.0.0-main-20220307-1
2022-03-24T06:19:15.3492733Z ##[endgroup]
2022-03-24T06:19:15.3493511Z Current image version: '20220227.1'
2022-03-24T06:19:15.3495526Z Agent running as: 'vsts'
2022-03-24T06:19:15.3531320Z Prepare build directory.
2022-03-24T06:19:15.3756190Z Set build variables.
2022-03-24T06:19:15.3783118Z Download all required tasks.
2022-03-24T06:19:15.3875518Z Downloading task: PowerShell (2.200.0)
2022-03-24T06:19:16.2600374Z Downloading task: AzurePowerShell (5.198.0)
2022-03-24T06:19:16.9721911Z Downloading task: PublishBuildArtifacts (1.200.0)
2022-03-24T06:19:17.1335367Z Checking job knob settings.
2022-03-24T06:19:17.1344111Z    Knob: AgentToolsDirectory = /opt/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY} 
2022-03-24T06:19:17.1345759Z    Knob: AgentPerflog = /home/vsts/perflog Source: ${VSTS_AGENT_PERFLOG} 
2022-03-24T06:19:17.1347485Z Finished checking job knob settings.
2022-03-24T06:19:17.1662221Z Start tracking orphan processes.
2022-03-24T06:19:17.1836692Z ##[section]Finishing: Initialize job

And my bicep install step like this:

2022-03-24T06:19:22.4541732Z ##[section]Starting: Install Bicep
2022-03-24T06:19:22.4550424Z ==============================================================================
2022-03-24T06:19:22.4550707Z Task         : PowerShell
2022-03-24T06:19:22.4550950Z Description  : Run a PowerShell script on Linux, macOS, or Windows
2022-03-24T06:19:22.4551161Z Version      : 2.200.0
2022-03-24T06:19:22.4551349Z Author       : Microsoft Corporation
2022-03-24T06:19:22.4551617Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2022-03-24T06:19:22.4551929Z ==============================================================================
2022-03-24T06:19:26.0622713Z Generating script.
2022-03-24T06:19:26.0655017Z ========================== Starting Command Output ===========================
2022-03-24T06:19:26.0662864Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command . '/home/vsts/work/_temp/cd8f2c4a-b662-41ab-a08d-195509b4df8d.ps1'
2022-03-24T06:19:31.3049092Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2022-03-24T06:19:31.3050630Z                                  Dload  Upload   Total   Spent    Left  Speed
2022-03-24T06:19:31.3051319Z 
2022-03-24T06:19:31.8282900Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2022-03-24T06:19:31.8696123Z  74 32.2M   74 24.0M    0     0  46.0M      0 --:--:-- --:--:-- --:--:-- 45.9M
2022-03-24T06:19:31.8697426Z 100 32.2M  100 32.2M    0     0  57.0M      0 --:--:-- --:--:-- --:--:-- 56.9M
2022-03-24T06:19:32.9899048Z Bicep CLI version 0.4.1310 (78eca78aaf)
2022-03-24T06:19:34.0443027Z ##[section]Finishing: Install Bicep

I still get this in the "Testing Bicep Anonymous Build":

2022-03-24T06:19:34.0464496Z ##[section]Starting: Testing Bicep Anonymous Build
2022-03-24T06:19:34.0473425Z ==============================================================================
2022-03-24T06:19:34.0473694Z Task         : Azure PowerShell
2022-03-24T06:19:34.0473941Z Description  : Run a PowerShell script within an Azure environment
2022-03-24T06:19:34.0474151Z Version      : 5.198.0
2022-03-24T06:19:34.0474343Z Author       : Microsoft Corporation
2022-03-24T06:19:34.0474570Z Help         : https://aka.ms/azurepowershelltroubleshooting
2022-03-24T06:19:34.0474856Z ==============================================================================
2022-03-24T06:19:34.2390387Z Generating script.
2022-03-24T06:19:34.2428124Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/665a514e-3c5b-4ac7-a22d-13fad385bc5f.ps1'
2022-03-24T06:19:34.2477615Z Saved!
2022-03-24T06:19:36.1112808Z ##[command]Import-Module -Name /usr/share/az_7.1.0/Az.Accounts/2.7.2/Az.Accounts.psd1 -Global
2022-03-24T06:19:37.8777553Z ##[command]Clear-AzContext -Scope Process
2022-03-24T06:19:39.3986768Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2022-03-24T06:19:41.0849975Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant afb44933-6f23-4ce6-aa71-49d3b8a53baf -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2022-03-24T06:19:42.7570496Z ##[command] Set-AzContext -SubscriptionId <My sub> -TenantId <Same tenant as the CR resides in>
2022-03-24T06:19:43.6467108Z Experimental feature is: True
2022-03-24T06:19:43.6481276Z Before
2022-03-24T06:19:43.6525689Z 
2022-03-24T06:19:43.6620263Z action.yaml
2022-03-24T06:19:43.6621525Z azure-pipelines.yml
2022-03-24T06:19:43.6622062Z bicepconfig.json
2022-03-24T06:19:43.6622535Z main.bicep
2022-03-24T06:19:43.6622985Z smoketest.yaml
2022-03-24T06:19:59.5594705Z /home/vsts/work/1/s/main.bicep(9,11) : Error BCP192: Unable to restore the module with reference "br:ateabicepcr.azurecr.io/p/storageaccount:1.1": Unhandled exception: Azure.RequestFailedException: Service request failed.
2022-03-24T06:19:59.5597561Z Status: 403 (Forbidden)
2022-03-24T06:19:59.5598222Z 
2022-03-24T06:19:59.5601630Z Content:
2022-03-24T06:19:59.5605609Z {"errors":[{"code":"DENIED","message":"retrieving permissions failed"}]}
2022-03-24T06:19:59.5606106Z 
2022-03-24T06:19:59.5606598Z Headers:
2022-03-24T06:19:59.5607079Z Server: openresty
2022-03-24T06:19:59.5607653Z Date: Thu, 24 Mar 2022 06:19:59 GMT
2022-03-24T06:19:59.5608823Z Connection: keep-alive
2022-03-24T06:19:59.5609723Z X-Ms-Correlation-Request-Id: 0d55e4e5-2fb4-444a-9980-ce3fa4c8dfda
2022-03-24T06:19:59.5610618Z x-ms-ratelimit-remaining-calls-per-second: 166.65
2022-03-24T06:19:59.5611410Z Strict-Transport-Security: REDACTED
2022-03-24T06:19:59.5613932Z Content-Type: application/json
2022-03-24T06:19:59.5614491Z Content-Length: 72
2022-03-24T06:19:59.5614625Z 
2022-03-24T06:19:59.5615204Z    at Azure.Containers.ContainerRegistry.AuthenticationRestClient.ExchangeAadAccessTokenForAcrRefreshTokenAsync(String service, String accessToken, CancellationToken cancellationToken)
2022-03-24T06:19:59.5616220Z    at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetRefreshTokenFromCredentialAsync(TokenRequestContext context, String service, Boolean async, CancellationToken cancellationToken)
2022-03-24T06:19:59.5617209Z    at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
2022-03-24T06:19:59.5618345Z    at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
2022-03-24T06:19:59.5619255Z    at Azure.Containers.ContainerRegistry.ContainerRegistryChallengeAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
2022-03-24T06:19:59.5620207Z    at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2022-03-24T06:19:59.5620904Z    at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2022-03-24T06:19:59.5621575Z    at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2022-03-24T06:19:59.5622236Z    at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2022-03-24T06:19:59.5622999Z    at Azure.Containers.ContainerRegistry.ContainerRegistryRestClient.GetManifestAsync(String name, String reference, String accept, CancellationToken cancellationToken)
2022-03-24T06:19:59.5623950Z    at Azure.Containers.ContainerRegistry.Specialized.ContainerRegistryBlobClient.DownloadManifestAsync(DownloadManifestOptions options, CancellationToken cancellationToken)
2022-03-24T06:19:59.5624720Z    at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAsync(OciArtifactModuleReference moduleReference, ContainerRegistryBlobClient client)
2022-03-24T06:19:59.5625697Z    at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, OciArtifactModuleReference moduleReference)
2022-03-24T06:19:59.5626385Z    at Bicep.Core.Registry.OciModuleRegistry.TryPullArtifactAsync(RootConfiguration configuration, OciArtifactModuleReference reference)
2022-03-24T06:19:59.5689986Z �[32;1mPath�[0m
2022-03-24T06:19:59.5690418Z �[32;1m----�[0m
2022-03-24T06:19:59.5690640Z /home/vsts/work/1/s
2022-03-24T06:19:59.5690852Z After
2022-03-24T06:19:59.5765641Z action.yaml
2022-03-24T06:19:59.5766559Z azure-pipelines.yml
2022-03-24T06:19:59.5767005Z bicepconfig.json
2022-03-24T06:19:59.5767393Z main.bicep
2022-03-24T06:19:59.5767782Z smoketest.yaml
2022-03-24T06:19:59.5771142Z Builded JSON file:
2022-03-24T06:19:59.7256143Z �[91mGet-Content: �[0m/home/vsts/work/_temp/665a514e-3c5b-4ac7-a22d-13fad385bc5f.ps1:13
2022-03-24T06:19:59.7257258Z �[96mLine |
2022-03-24T06:19:59.7257926Z �[96m  13 | �[0m �[96mGet-Content -LiteralPath 'main.json' -Raw�[0m
2022-03-24T06:19:59.7258639Z �[96m     | �[91m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-03-24T06:19:59.7259372Z �[91m�[96m     | �[91mCannot find path 'main.json' because it does not exist.
2022-03-24T06:19:59.7259876Z �[0m
2022-03-24T06:19:59.8031889Z ##[error]PowerShell exited with code '1'.
2022-03-24T06:19:59.8053920Z ##[section]Finishing: Testing Bicep Anonymous Build

The only difference seems to be the serviceconnection. You target a different tenant then I do and the tenant I target is the same tenant as the container registry resides in.

[slapointe]

Also, can you make sure you're running on the latest release: https://github.com/Azure/bicep/releases/tag/v0.4.1318

You seems to be running not an official release, is this a nightly build or something?

I've added another registry that is in my tenant in my bicepconfig.json and main.bicep file. It still works for me.

Did you tried a brand new container registry, with standard sku and anonymous access turned on and/or a new service connection?

Sidenote, you don't need the experimental flag anymore.

[slapointe]

@Agazoth One thing I could see looking at the source code is that we fallback with the anonymous client when we hit a 401 (Unauthorized). You hit a 403 (Forbidden)

403 Definition: "The request contained valid data and was understood by the server, but the server is refusing action."

Could you verify that you maybe in a situation like this: the service connection credentials are valid for AAD auth but the service connection do not have proper access to your ACR (if we don't mind anonymous access) ?

If so, it is a bug and a scenario we do not yet support.

[Agazoth]

@slapointe - I get the same results with 1318.

Could you verify that you maybe in a situation like this: the service connection credentials are valid for AAD auth but the service connection do not have proper access to your ACR (if we don't mind anonymous access) ?

This is exactly the case. The serviceprincipal used for the serviceconnection does not have ARC pull and resides in the same tenant as the container registry (valid for AAD auth).

[slapointe]

Got it. It should be a quick fix to implement.

Meanwhile, you have a workaround by giving the proper access to the service principal that is used in your service connection.