ACR expansion 401 error

[riosengineer]

Hi all,

Hoping someone can nudge me in the right direction here as I've hit a brick wall on this one.

I've got this working in my lab with all the same configuration settings & SPN but in my main Azure DevOps project the analysis task gives a 401 unauthorized error and I can't figure out why. I don't know what context it's trying to use in the PSRule task, and even with audit logging turned on my ACR I can't see it being queried to understand that side better.

• Service principal object has AcrPull RBAC & I can log in via CLI and query & pull via my SPN so I know the issue isn't on this end.
• The validation pipeline job shows the 'Pre-job: Download secrets: keyvault name' & successful 'Download secrets: keyvault name'
• Turned shallow fetch off in the YAML tab in the ADO GUI

Pipeline task (sanitised variables group & env names):

- job: 'PSRuleAnalysis'
    displayName: "Run PSRule analysis"
    dependsOn: BicepValidation
    variables:
    - group: keyvaultname
    pool:
      vmImage: $(vmImageName)  
    steps:
    - task: bewhite.ps-rule.assert.ps-rule-assert@2
      inputs:
        source: "$(System.DefaultWorkingDirectory)/ps-rule.yaml"
        modules: PSRule.Rules.Azure, PSRule.Rules.CAF, PSRule.Rules.Kubernetes
        outputFormat: NUnit3
        outputPath: "reports/ps-rule-results.xml"
      env:
        AZURE_CLIENT_ID: $(spn-)
        AZURE_CLIENT_SECRET: $(spn-secret)
        AZURE_TENANT_ID: $(tenant)

bicepconfig.json in root of repo:

{
  "credentialPrecedence": [
    "Environment",
    "AzureCLI",
    "AzurePowerShell"
  ]
}

psruleassert log:

Status: 401 (Unauthorized)
Content:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information."}]}
Headers:
Server: openresty
Date: Wed, 26 Apr 2023 10:32:35 GMT
Connection: keep-alive
X-Ms-Correlation-Request-Id: 1c8dd837-2f74-47f1-ab84-ce66b260cd10
x-ms-ratelimit-remaining-calls-per-second: 166.65
Strict-Transport-Security: REDACTED
Content-Type: text/plain; charset=utf-8
Content-Length: 134
/home/vsts/work/1/s/bicep/alz_platform/subscriptionPlacement.bicep(27,25) : Error BCP192: Unable to restore the module with reference "br:sanitised.azurecr.io/bicep/modules/subscriptionplacement:2023-04-19": Service request failed.

I've gone over this helpful troubleshooting page(s) but everything seems in-check https://github.com/Azure/PSRule.Rules.Azure/blob/main/docs/troubleshooting.md
https://github.com/Azure/PSRule.Rules.Azure/blob/main/docs/using-bicep.md#configure-bicepconfigjson

Has anyone had any similar run-ins who could point me in the right direction, or any solutions? It's almost like it's not respecting the env variables. I've checked the YAML syntax for odd spaces and looks ok to me.

Any help is appreciated! Thanks

[BernieWhite]

@riosengineer Your configuration looks good. I assume AZURE_CLIENT_ID: $(spn-) is just sanitized. Otherwise the trailing - might be an issue.

Thoughts that might help with your further troubleshooting:

• If your ACR is using private endpoints then if you don't have access to the private endpoint you can get an unauthorized error. Try running on a self-hosted agent with network access to the endpoint if this is the case instead of the Microsoft hosted workers.
• Double check the version of Bicep you are using. Sometimes different agents have different versions, and older versions do have some issues with certain authentication scenarios. Ideally use a minimum of 0.16.x. You can set the minimum version here: https://azure.github.io/PSRule.Rules.Azure/setup/setup-bicep/#checking-bicep-version. This won't install the latest version but it will error if an older version is used.
• You can double check the environment variables within the PSRule context by logging them out using a convention. To do this:

1. Create a Convention.Rule.ps1 in the .ps-rule/ path within the root of your repository.
2. Add the following content.

Export-PSRuleConvention 'LogVariables' -Initialize {
  Write-Host "Using AZURE_CLIENT_ID: $($Env:AZURE_CLIENT_ID)"
  Write-Host "Using AZURE_TENANT_ID: $($Env:AZURE_TENANT_ID)"
}

3. Update your pipeline code to:

- job: 'PSRuleAnalysis'
    displayName: "Run PSRule analysis"
    dependsOn: BicepValidation
    variables:
    - group: keyvaultname
    pool:
      vmImage: $(vmImageName)  
    steps:
    - task: bewhite.ps-rule.assert.ps-rule-assert@2
      inputs:
        source: "$(System.DefaultWorkingDirectory)/ps-rule.yaml"
        modules: PSRule.Rules.Azure, PSRule.Rules.CAF, PSRule.Rules.Kubernetes
        outputFormat: NUnit3
        outputPath: "reports/ps-rule-results.xml"
        conventions: LogVariables
      env:
        AZURE_CLIENT_ID: $(spn-)
        AZURE_CLIENT_SECRET: $(spn-secret)
        AZURE_TENANT_ID: $(tenant)

---

Hopefully that helps.

[riosengineer]

Thank you @BernieWhite! The conventions script and context looks like it will be useful to get to the bottom of my issue, will check this out and see how I get on.

[riosengineer]

I finally got this working. Turns out, I have to include this into the bicepconfig.json for it to work:

  "experimentalFeaturesEnabled": {
    "IncludeAllAccessibleAzureContainerRegistriesForCompletions": true
    }
}

So not a PSRule issue, apologies! But thank you anyway for your detailed reply Bernie!

[BernieWhite]

@riosengineer No worries. We haven't see this before. What Bicep version are you using for reference?

Also might be worth logging an issue over on the Bicep repository (https://github.com/Azure/bicep/issues) because I don't think this is intended behaviour.

[riosengineer]

@BernieWhite I've specified 0.16.2 in my ps-rule.yaml and the pipeline logs show its using that as well. So maybe you're right there, potential issue. I'll check my VSCode extension settings as I'm sure there was a tick box for this experimental feature flag but I thought it had been released a few weeks back.