Description
Describe the bug
It's not possible to reach the ACR from an AKS pod using Workload Identity to login.
A case was opened with Microsoft and they identified the issue and asked me to report as a bug here.
"This is a CLI bug, as the request is not landing on ARM or ACR.
The way the subscription cache is handled in the CLI, this is only refreshed when the CLI performs a cloud login (az login). The workload identity 'login' might not be refreshing this cache and because the CLI is not sending a request to obtain a refreshed list of subscriptions the request fails locally without attempting to do the purge.
They would need to create an issue to the azure/cli github for this to be addressed Issues · Azure/azure-cli (github.com).
Please add the details that we have discussed
the behavior is different when using user credentials vs using workload identity
the subscription/resource query is not reaching ARM or ACR"
"this code calls this code, the handling of how the subscriptions is cached locally is the issue, as the client is not trying to fetch the subscription from ARM (only tries locally), after that the call fails"
Related command
The command used to authenticate to Azure
az login --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --allow-no-subscriptions
The command used to cleanup some old images in the ACR
REPOS=$(az acr repository list -n ${REGISTRY} -o table | tail -n +3 | grep -v helm)
for REPO in $REPOS; do COMMAND="acr purge --ago 30d --filter '${REPO}:^[A-Fa-f0-9]{8,}$' --keep 5 --untagged"; az acr run --cmd "${COMMAND}" --registry ${REGISTRY} --timeout 3600 /dev/null; done
Errors
The resource with name '' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription ''.
Issue script & Debug output
cli.azure.cli.core.sdk.policies: {"value":[]}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
raise ex
File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
result = cmd_copy(params)
File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
return self.handler(*args, **kwargs)
File "/usr/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/run.py", line 45, in acr_run
_, resource_group_name = validate_managed_registry(
File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 143, in validate_managed_registry
registry, resource_group_name = get_registry_by_name(
File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 109, in get_registry_by_name
resource_group_name = get_resource_group_name_by_registry_name(
File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 88, in get_resource_group_name_by_registry_name
arm_resource = _arm_get_resource_by_name(
File "/usr/lib/python3.10/site-packages/azure/cli/command_modules/acr/_utils.py", line 55, in _arm_get_resource_by_name
raise ResourceNotFound(
azure.cli.command_modules.acr._utils.ResourceNotFound: The resource with name 'acr' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription 'subscription'.
Expected behavior
Authentication and perform acr cleanup commands without problem
Environment Summary
az --version
azure-cli 2.45.0 *
core 2.45.0 *
telemetry 1.0.8 *
Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1
Additional context
No response