New issue checklist
Task name
Docker@2
Task version
2
Issue Description
We have a azure devops pipeline like below. However, the last step is failing because docker is able to push the image. It should not be able to push the image since we are using a service connection using a Service Principal that only has read & pull access to the ACR
I run the same code (the last step only) by logging-in with the same service principal as the service connection above on my local machine and the push fails as the way it is supposed to. The below code was working correctly till 17th of April & started failing after that. We have not made any code changes.
- task: Docker@2
displayName: "${{replace(parameters.azureContainerRegistry,'.[azurecr.io](http://azurecr.io)','') }}: Pushing Test Docker Image"
inputs:
containerRegistry: ${{ parameters.serviceConnectionPush }}
command: 'push'
repository: '${{ parameters.imageFolder }}/${{ parameters.imageName }}'
tags: |
$(imagetag)
- task: Docker@2
displayName: "${{replace(parameters.azureContainerRegistry,'.[azurecr.io](http://azurecr.io)','')}}: Login with Pull Service Connection"
inputs:
containerRegistry: ${{ parameters.serviceConnectionPull }}
command: 'login'
- script: |
set -eou pipefail
echo Testing Pull
docker pull '${{parameters.azureContainerRegistry}}/${{ parameters.imageFolder }}/${{ parameters.imageName }}:$(imagetag)'
echo Testing Push
if docker push '${{parameters.azureContainerRegistry}}/${{ parameters.imageFolder }}/${{ parameters.imageName }}:$(imagetag)' ; then
echo "The docker push should not work, since docker is authenticated using the pull service connection."
exit 1
else
echo "Docker Push failed as expected (pull service connection)"
fi
displayName: "${{replace(parameters.azureContainerRegistry,'.[azurecr.io](http://azurecr.io)','') }}: Testing Pull Service Connection"
The roles the SP has for the ACR
The code result in local machine
I tried adding a Docker@2 logout step in between push & login. Even that did not help.
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Ubuntu
Relevant log output
The push refers to repository [abc.azurecr.io/abc/testing/serviceconnectionpushtest]
20260428095211: digest: sha256:sdasdasdsadsadsadsadsadsadsadsadsadsize: 304
Full task logs with system.debug enabled
No response
Repro steps
- task: Docker@2
displayName: "${{replace(parameters.azureContainerRegistry,'.azurecr.io','') }}: Pushing Test Docker Image"
inputs:
containerRegistry: ${{ parameters.serviceConnectionPush }}
command: 'push'
repository: '${{ parameters.imageFolder }}/${{ parameters.imageName }}'
tags: |
$(imagetag)
- task: Docker@2
displayName: "${{replace(parameters.azureContainerRegistry,'.azurecr.io','')}}: Login with Pull Service Connection"
inputs:
containerRegistry: ${{ parameters.serviceConnectionPull }}
command: 'login'
- script: |
set -eou pipefail
echo Testing Pull
docker pull '${{parameters.azureContainerRegistry}}/${{ parameters.imageFolder }}/${{ parameters.imageName }}:$(imagetag)'
echo Testing Push
if docker push '${{parameters.azureContainerRegistry}}/${{ parameters.imageFolder }}/${{ parameters.imageName }}:$(imagetag)' ; then
echo "The docker push should not work, since docker is authenticated using the pull service connection."
exit 1
else
echo "Docker Push failed as expected (pull service connection)"
fi
displayName: "${{replace(parameters.azureContainerRegistry,'.azurecr.io','') }}: Testing Pull Service Connection"
New issue checklist
Task name
Docker@2
Task version
2
Issue Description
We have a azure devops pipeline like below. However, the last step is failing because docker is able to push the image. It should not be able to push the image since we are using a service connection using a Service Principal that only has read & pull access to the ACR
I run the same code (the last step only) by logging-in with the same service principal as the service connection above on my local machine and the push fails as the way it is supposed to. The below code was working correctly till 17th of April & started failing after that. We have not made any code changes.
displayName: "${{replace(parameters.azureContainerRegistry,'.[azurecr.io](http://azurecr.io)','') }}: Pushing Test Docker Image"
inputs:
containerRegistry: ${{ parameters.serviceConnectionPush }}
command: 'push'
repository: '${{ parameters.imageFolder }}/${{ parameters.imageName }}'
tags: |
$(imagetag)
displayName: "${{replace(parameters.azureContainerRegistry,'.[azurecr.io](http://azurecr.io)','')}}: Login with Pull Service Connection"
inputs:
containerRegistry: ${{ parameters.serviceConnectionPull }}
command: 'login'
set -eou pipefail
echo Testing Pull
docker pull '${{parameters.azureContainerRegistry}}/${{ parameters.imageFolder }}/${{ parameters.imageName }}:$(imagetag)'
echo Testing Push
if docker push '${{parameters.azureContainerRegistry}}/${{ parameters.imageFolder }}/${{ parameters.imageName }}:$(imagetag)' ; then
echo "The docker push should not work, since docker is authenticated using the pull service connection."
exit 1
else
echo "Docker Push failed as expected (pull service connection)"
fi
displayName: "${{replace(parameters.azureContainerRegistry,'.[azurecr.io](http://azurecr.io)','') }}: Testing Pull Service Connection"
The roles the SP has for the ACR
The code result in local machine
I tried adding a Docker@2 logout step in between push & login. Even that did not help.
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Ubuntu
Relevant log output
Full task logs with system.debug enabled
No response
Repro steps