[ACR] az acr tasks create | update, az acr build | run: Add ABAC support for ACR Tasks

Author: lizMSFT

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -195,11 +195,11 @@ def default_api_version(self):
             'role_definitions': '2022-05-01-preview',
             'provider_operations_metadata': '2018-01-01-preview'
         }),
-        ResourceType.MGMT_CONTAINERREGISTRY: SDKProfile('2023-11-01-preview', {
-            'agent_pools': '2019-06-01-preview',
-            'tasks': '2019-06-01-preview',
-            'task_runs': '2019-06-01-preview',
-            'runs': '2019-06-01-preview',
+        ResourceType.MGMT_CONTAINERREGISTRY: SDKProfile('2025-03-01-preview', {
+            'agent_pools': '2025-03-01-preview',
+            'tasks': '2025-03-01-preview',
+            'task_runs': '2025-03-01-preview',
+            'runs': '2025-03-01-preview',
             'network_rule': '2021-08-01-preview',
             'cache_rules': '2023-01-01-preview',
             'credential_sets': '2023-01-01-preview'
@@ -439,6 +439,7 @@ def default_api_version(self):
         'VERSION_2021_08_01_PREVIEW': "2021-08-01-preview",
         'VERSION_2022_02_01_PREVIEW': "2022-02-01-preview",
         'VERSION_2023_11_01_PREVIEW': "2023-11-01-preview",
+        'VERSION_2025_03_01_PREVIEW': "2025-03-01-preview",
     },
     ResourceType.MGMT_CONTAINERSERVICE: {
         # src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py:50

src/azure-cli/azure/cli/command_modules/acr/_client_factory.py

@@ -11,6 +11,7 @@
 VERSION_2021_08_01_PREVIEW = "2021-08-01-preview"
 VERSION_2022_02_01_PREVIEW = "2022-02-01-preview"
 VERSION_2023_01_01_PREVIEW = "2023-01-01-preview"
+VERSION_2025_03_01_PREVIEW = "2025-03-01-preview"
 
 
 def get_acr_service_client(cli_ctx, api_version=None):
@@ -37,7 +38,7 @@ def cf_acr_network_rules(cli_ctx, *_):
 
 
 def cf_acr_registries_tasks(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, api_version=VERSION_2019_06_01_PREVIEW).registries
+    return get_acr_service_client(cli_ctx, api_version=VERSION_2025_03_01_PREVIEW).registries
 
 
 def cf_acr_replications(cli_ctx, *_):
@@ -53,15 +54,15 @@ def cf_acr_private_endpoint_connections(cli_ctx, *_):
 
 
 def cf_acr_tasks(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).tasks
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).tasks
 
 
 def cf_acr_taskruns(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).task_runs
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).task_runs
 
 
 def cf_acr_runs(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).runs
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).runs
 
 
 def cf_acr_scope_maps(cli_ctx, *_):
@@ -77,7 +78,7 @@ def cf_acr_token_credentials(cli_ctx, *_):
 
 
 def cf_acr_agentpool(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).agent_pools
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).agent_pools
 
 
 def cf_acr_connected_registries(cli_ctx, *_):

src/azure-cli/azure/cli/command_modules/acr/_help.py

@@ -37,6 +37,9 @@
   - name: Queue a local context as a Linux build on arm/v7 architecture, tag it, and push it to the registry.
     text: >
         az acr build -t sample/hello-world:{{.Run.ID}} -r myregistry . --platform linux/arm/v7
+  - name: Queue a local context as a Linux build, tag it, and push it to the ABAC-based Repository Permission enabled registry and use the caller's Entra identity to authenticate with the source registry.  
+    text: >
+        az acr build -t sample/hello-world:{{.Run.ID}} -r myregistry . --source-registry-auth-id [caller]
 """
 
 helps['acr check-health'] = """
@@ -806,6 +809,9 @@
   - name: Queue a remote OCI Artifact context and runs the task.
     text: >
         az acr run -r myregistry oci://myregistry.azurecr.io/myartifact:mytag -f hello-world.yaml
+  - name: Queue a run to execute a container command in an ABAC-based Repository Permission enabled registry and use the caller's Entra identity to authenticate with the source registry.  
+    text: >
+        az acr run -r myregistry --cmd '$Registry/myimage' /dev/null --source-registry-auth-id [caller]
 """
 
 helps['acr scope-map'] = """
@@ -938,6 +944,12 @@
             --pull-request-trigger-enabled true --schedule "dailyTimer:0 12 * * Mon-Fri" \\
             -c https://github.com/Azure-Samples/acr-tasks.git#:multipleRegistries -f testtask.yaml \\
             --assign-identity [system] "/subscriptions/<subscriptionId>/resourcegroups/<myResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentitiy>"
+  - name: Create a task without the source location in an ABAC-based Repository Permission registry and specify a system-assigned MI used for auth with the source registry.
+      text: >
+          az acr task create -n hello-world -r myregistry --cmd '$Registry/myimage' -c /dev/null --source-registry-auth-id [system]
+  - name: Create a task without the source location in an ABAC-based Repository Permission registry and specify a user-assigned MI used for auth with the source registry.
+      text: >
+          az acr task create -n hello-world -r myregistry --cmd '$Registry/myimage' -c /dev/null --source-registry-auth-id 00000000-0000-0000-0000-000000000000
 """
 
 helps['acr task credential'] = """

src/azure-cli/azure/cli/command_modules/acr/_params.py

@@ -306,6 +306,7 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
         c.argument('set_secret', help="Secret value in '--set name[=value]' format. Multiples supported by passing --set multiple times.", action='append', validator=validate_set_secret)
         c.argument('agent_pool_name', options_list=['--agent-pool'], help='The name of the agent pool.', is_preview=True)
         c.argument('log_template', options_list=['--log-template'], help="The repository and tag template for run log artifact using the format: 'log/repo:tag' (e.g., 'acr/logs:{{.Run.ID}}'). Only applicable to CMK enabled registry.", is_preview=True)
+        c.argument('source_registry_auth_id', arg_type=get_enum_type(["[caller]", "none"]), help="Assigns the identity used for source registry login. Use '[caller]' for caller identity.")
 
     with self.argument_context('acr pack build') as c:
         c.argument('registry_name', options_list=['--registry', '-r'])
@@ -325,6 +326,7 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
         c.argument('secret_arg', options_list=['--secret-build-arg'], help="Secret build argument in '--secret-build-arg name[=value]' format. Multiples are supported by passing '--secret-build-arg name[=value]' multiple times. This parameter value is not surfaced to the ACR team and is more suitable for sensitive information.", action='append', validator=validate_secret_arg)
         c.argument('agent_pool_name', options_list=['--agent-pool'], help='The name of the agent pool.', is_preview=True)
         c.argument('log_template', options_list=['--log-template'], help="The repository and tag template for run log artifact using the format: 'log/repo:tag' (e.g., 'acr/logs:{{.Run.ID}}'). Only applicable to CMK enabled registry.", is_preview=True)
+        c.argument('source_registry_auth_id', arg_type=get_enum_type(["[caller]", "none"]), help="Assigns the identity used for source registry login. Use '[caller]' for caller identity.")
 
     with self.argument_context('acr task') as c:
         c.argument('registry_name', options_list=['--registry', '-r'])
@@ -374,6 +376,10 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
 
     with self.argument_context('acr task create') as c:
         c.argument('task_name', completer=None)
+        c.argument('source_registry_auth_id', help="Assigns the managed identity used for source registry login. Use '[system]' to refer to the system-assigned identity or a client ID to refer to a user-assigned managed identity.")
+
+    with self.argument_context('acr task update') as c:
+        c.argument('source_registry_auth_id', help="Assigns the managed identity used for source registry login. Use '[system]' to refer to the system-assigned identity or a client ID to refer to a user-assigned managed identity.")
 
     with self.argument_context('acr task identity') as c:
         c.argument('identities', options_list=['--identities'], nargs='*', help="Assigns managed identities to the task. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned identity.")

src/azure-cli/azure/cli/command_modules/acr/_utils.py

@@ -281,24 +281,37 @@ def get_custom_registry_credentials(cmd,
                                     username=None,
                                     password=None,
                                     identity=None,
-                                    is_remove=False):
+                                    is_remove=False,
+                                    source_registry_auth_id=None,
+                                    registry_abac_enabled=False):
     """Get the credential object from the input
     :param str auth_mode: The login mode for the source registry
     :param str login_server: The login server of custom registry
     :param str username: The username for custom registry (plain text or a key vault secret URI)
     :param str password: The password for custom registry (plain text or a key vault secret URI)
     :param str identity: The task managed identity used for the credential
+    :param str source_registry_auth_id: the managed identity used for the source registry authentication
+    :param bool registry_abac_enabled: whether the registry is ABAC-enabled
     """
     Credentials, CustomRegistryCredentials, SourceRegistryCredentials, SecretObject, \
         SecretObjectType = cmd.get_models(
             'Credentials', 'CustomRegistryCredentials', 'SourceRegistryCredentials', 'SecretObject',
             'SecretObjectType',
             operation_group='tasks')
 
+    # "Default" and "None" are the allowed values for source registry auth mode.
+    # For a non-ABAC-enabled registry, "--source-registry-auth-id" will not take effect, and authentication
+    # will fail if the auth mode is "None". Therefore, we need to throw an error here.
+    if not registry_abac_enabled and auth_mode and auth_mode.lower() == "none" and source_registry_auth_id:
+        raise CLIError('Error: Conflicting Authentication Parameters for Task Access to Source Registry. Task authentication mode for source registry access is set to "None," but an identity was provided for authentication. Remove the identity or update the authentication mode to resolve this conflict.')
+
     source_registry_credentials = None
+    # Need to differentiate between the string "None" and the None value for auth_mode
     if auth_mode:
         source_registry_credentials = SourceRegistryCredentials(
-            login_mode=auth_mode)
+            login_mode=auth_mode, identity=source_registry_auth_id)
+    elif source_registry_auth_id: # auth_mode is None at this point
+        source_registry_credentials = SourceRegistryCredentials(identity=source_registry_auth_id)
 
     custom_registries = None
     if login_server:
@@ -603,3 +616,7 @@ def get_task_details_by_name(cli_ctx, resource_group_name, registry_name, task_n
     from ._client_factory import cf_acr_tasks
     client = cf_acr_tasks(cli_ctx)
     return client.get_details(resource_group_name, registry_name, task_name)
+
+def check_auth_mode_for_abac(registry_abac_enabled, auth_mode):
+    if registry_abac_enabled and auth_mode is not None:
+        logger.warning("The --auth-mode flag is deprecated for specifying access to an ABAC-enabled source registry. Please use --source-registry-auth-id to specify an Entra identity for use in accessing an ABAC-enabled source registry." )

src/azure-cli/azure/cli/command_modules/acr/build.py

@@ -13,7 +13,7 @@
 from knack.util import CLIError
 from azure.cli.core.commands import LongRunningOperation
 
-from ._utils import validate_managed_registry, get_validate_platform, get_custom_registry_credentials
+from ._utils import check_auth_mode_for_abac, validate_managed_registry, get_validate_platform, get_custom_registry_credentials
 from ._stream_utils import stream_logs
 from ._archive_utils import upload_source_code, check_remote_source_code
 
@@ -40,8 +40,9 @@ def acr_build(cmd,  # pylint: disable=too-many-locals
               platform=None,
               target=None,
               auth_mode=None,
-              log_template=None):
-    _, resource_group_name = validate_managed_registry(
+              log_template=None,
+              source_registry_auth_id=None):
+    registry, resource_group_name = validate_managed_registry(
         cmd, registry_name, resource_group_name, BUILD_NOT_SUPPORTED)
 
     from ._client_factory import cf_acr_registries_tasks
@@ -97,10 +98,14 @@ def acr_build(cmd,  # pylint: disable=too-many-locals
 
     platform_os, platform_arch, platform_variant = get_validate_platform(cmd, platform)
 
-    DockerBuildRequest, PlatformProperties = cmd.get_models(
+    DockerBuildRequest, PlatformProperties, RoleAssignmentMode = cmd.get_models(
         'DockerBuildRequest',
         'PlatformProperties',
+        'RoleAssignmentMode',
         operation_group='runs')
+    
+    registry_abac_enabled = registry.role_assignment_mode == RoleAssignmentMode.ABAC_REPOSITORY_PERMISSIONS
+    check_auth_mode_for_abac(registry_abac_enabled, auth_mode)
 
     docker_build_request = DockerBuildRequest(
         agent_pool_name=agent_pool_name,
@@ -118,15 +123,17 @@ def acr_build(cmd,  # pylint: disable=too-many-locals
         target=target,
         credentials=get_custom_registry_credentials(
             cmd=cmd,
-            auth_mode=auth_mode
+            auth_mode=auth_mode,
+            source_registry_auth_id=source_registry_auth_id,
+            registry_abac_enabled=registry_abac_enabled
         ),
         log_template=log_template
     )
 
-    queued = LongRunningOperation(cmd.cli_ctx)(client_registries.begin_schedule_run(
+    queued = client_registries.schedule_run(
         resource_group_name=resource_group_name,
         registry_name=registry_name,
-        run_request=docker_build_request))
+        run_request=docker_build_request)
 
     run_id = queued.run_id
     logger.warning("Queued a build with ID: %s", run_id)

src/azure-cli/azure/cli/command_modules/acr/pack.py

@@ -95,10 +95,10 @@ def acr_pack_build(cmd,  # pylint: disable=too-many-locals
         agent_pool_name=agent_pool_name
     )
 
-    queued = LongRunningOperation(cmd.cli_ctx)(client_registries.begin_schedule_run(
+    queued = client_registries.schedule_run(
         resource_group_name=resource_group_name,
         registry_name=registry_name,
-        run_request=request))
+        run_request=request)
 
     run_id = queued.run_id
     logger.warning('Queued a run with ID: %s', run_id)

src/azure-cli/azure/cli/command_modules/acr/run.py

@@ -10,6 +10,7 @@
 from ._constants import ACR_TASK_YAML_DEFAULT_NAME
 from ._stream_utils import stream_logs
 from ._utils import (
+    check_auth_mode_for_abac,
     validate_managed_registry,
     get_validate_platform,
     get_custom_registry_credentials,
@@ -40,9 +41,10 @@ def acr_run(cmd,  # pylint: disable=too-many-locals
             resource_group_name=None,
             platform=None,
             auth_mode=None,
-            log_template=None):
+            log_template=None,
+            source_registry_auth_id=None):
 
-    _, resource_group_name = validate_managed_registry(
+    registry, resource_group_name = validate_managed_registry(
         cmd, registry_name, resource_group_name, RUN_NOT_SUPPORTED)
 
     if cmd_value and file:
@@ -57,8 +59,11 @@ def acr_run(cmd,  # pylint: disable=too-many-locals
 
     platform_os, platform_arch, platform_variant = get_validate_platform(cmd, platform)
 
-    EncodedTaskRunRequest, FileTaskRunRequest, PlatformProperties = cmd.get_models(
-        'EncodedTaskRunRequest', 'FileTaskRunRequest', 'PlatformProperties', operation_group='runs')
+    EncodedTaskRunRequest, FileTaskRunRequest, PlatformProperties, RoleAssignmentMode = cmd.get_models(
+        'EncodedTaskRunRequest', 'FileTaskRunRequest', 'PlatformProperties', 'RoleAssignmentMode', operation_group='runs')
+
+    registry_abac_enabled = registry.role_assignment_mode == RoleAssignmentMode.ABAC_REPOSITORY_PERMISSIONS
+    check_auth_mode_for_abac(registry_abac_enabled, auth_mode)
 
     if source_location:
         request = FileTaskRunRequest(
@@ -74,7 +79,9 @@ def acr_run(cmd,  # pylint: disable=too-many-locals
             ),
             credentials=get_custom_registry_credentials(
                 cmd=cmd,
-                auth_mode=auth_mode
+                auth_mode=auth_mode,
+                source_registry_auth_id=source_registry_auth_id,
+                registry_abac_enabled=registry_abac_enabled
             ),
             agent_pool_name=agent_pool_name,
             log_template=log_template
@@ -94,16 +101,18 @@ def acr_run(cmd,  # pylint: disable=too-many-locals
             ),
             credentials=get_custom_registry_credentials(
                 cmd=cmd,
-                auth_mode=auth_mode
+                auth_mode=auth_mode,
+                source_registry_auth_id=source_registry_auth_id,
+                registry_abac_enabled=registry_abac_enabled
             ),
             agent_pool_name=agent_pool_name,
             log_template=log_template
         )
 
-    queued = LongRunningOperation(cmd.cli_ctx)(client_registries.begin_schedule_run(
+    queued = client_registries.schedule_run(
         resource_group_name=resource_group_name,
         registry_name=registry_name,
-        run_request=request))
+        run_request=request)
 
     run_id = queued.run_id
     logger.warning("Queued a run with ID: %s", run_id)