Publish-PSResource uses anonymous token for push when anonymousPull is enabled on ACR

[diablo668]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.

Steps to reproduce

Simular to #1828, but that got closed without it being resolved!

When anonymousPull is enabled on an Azure Container Registry (ACR) and the registry is registered as a PSResource repository, Publish-PSResource always retrieves an anonymous access token—even if valid Azure credentials are available (via Connect-AzAccount ). This causes push operations to fail with 401 Unauthorized.

Verbose Output Example:

Publish-PSResource -Repository <RepoName> -Path <PathToModuleFiles>

VERBOSE: Get access token for container registry server.
VERBOSE: Anonymous access token retrieved.
VERBOSE: Start uploading blob
Publish-PSResource: Error occured while starting to upload the blob location used for publishing to ContainerRegistry: Response status code does not indicate success: 401 (Unauthorized).

FYI!

• The account has ArcPush activated on the ACR.
• Login prompt does appear when Anonymous access is Disabled on the ACR, and the publish can be completed successfully.

Expected behavior

- Anonymous access should only be used for pull operations.
- For push, PSResourceGet should either provide a login prompt or attempt authenticated token acquisition if credentials or Azure context exist.

Actual behavior

Error 401 (Unauthorized), because Anonymous access token was used

VERBOSE: Get access token for container registry server.
VERBOSE: Anonymous access token retrieved.
VERBOSE: Start uploading blob
Publish-PSResource: One or more errors occurred. (Error occured while starting to upload the blob location used for publishing to ContainerRegistry: System.Net.Http.HttpRequestException 'Error occured while trying to retrieve response header: Error occured while trying to retrieve response: Response status code does not indicate success: 401 (Unauthorized).')

Error details

Exception             :
    Type            : System.AggregateException
    InnerExceptions :
        Type       : Microsoft.PowerShell.PSResourceGet.UtilClasses.UploadBlobException
        TargetSite :
            Name          : MoveNext
            DeclaringType : [Microsoft.PowerShell.PSResourceGet.ContainerRegistryServerAPICalls+<GetStartUploadBlobLoca
tion>d__71]
            MemberType    : Method
            Module        : Microsoft.PowerShell.PSResourceGet.dll
        Message    : Error occured while starting to upload the blob location used for publishing to ContainerRegistry:
 System.Net.Http.HttpRequestException 'Error occured while trying to retrieve response header: Error occured while tryi
ng to retrieve response: Response status code does not indicate success: 401 (Unauthorized).'
        Source     : Microsoft.PowerShell.PSResourceGet
        HResult    : -2146233088
        StackTrace :
   at Microsoft.PowerShell.PSResourceGet.ContainerRegistryServerAPICalls.GetStartUploadBlobLocation(String packageName,
 String containerRegistryAccessToken) in C:\__w\1\s\PSResourceGet\src\code\ContainerRegistryServerAPICalls.cs:line 1660
    Message         : One or more errors occurred. (Error occured while starting to upload the blob location used for p
ublishing to ContainerRegistry: System.Net.Http.HttpRequestException 'Error occured while trying to retrieve response h
eader: Error occured while trying to retrieve response: Response status code does not indicate success: 401 (Unauthoriz
ed).')
    TargetSite      :
        Name          : ThrowIfExceptional
        DeclaringType : [System.Threading.Tasks.Task]
        MemberType    : Method
        Module        : System.Private.CoreLib.dll
    InnerException  :
        Type       : Microsoft.PowerShell.PSResourceGet.UtilClasses.UploadBlobException
        TargetSite :
            Name          : MoveNext
            DeclaringType : [Microsoft.PowerShell.PSResourceGet.ContainerRegistryServerAPICalls+<GetStartUploadBlobLoca
tion>d__71]
            MemberType    : Method
            Module        : Microsoft.PowerShell.PSResourceGet.dll
        Message    : Error occured while starting to upload the blob location used for publishing to ContainerRegistry:
 System.Net.Http.HttpRequestException 'Error occured while trying to retrieve response header: Error occured while tryi
ng to retrieve response: Response status code does not indicate success: 401 (Unauthorized).'
        Source     : Microsoft.PowerShell.PSResourceGet
        HResult    : -2146233088
        StackTrace :
   at Microsoft.PowerShell.PSResourceGet.ContainerRegistryServerAPICalls.GetStartUploadBlobLocation(String packageName,
 String containerRegistryAccessToken) in C:\__w\1\s\PSResourceGet\src\code\ContainerRegistryServerAPICalls.cs:line 1660
    Source          : System.Private.CoreLib
    HResult         : -2146233088
    StackTrace      :
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Microsoft.PowerShell.PSResourceGet.ContainerRegistryServerAPICalls.UploadNupkgFile(String packageNameLowercase, S
tring containerRegistryAccessToken, String fullNupkgFile, ErrorRecord& errRecord) in C:\__w\1\s\PSResourceGet\src\code\
ContainerRegistryServerAPICalls.cs:line 1294
TargetObject          : Microsoft.PowerShell.PSResourceGet.Cmdlets.PublishPSResource
CategoryInfo          : InvalidResult: (Microsoft.PowerShel…s.PublishPSResource:PublishPSResource) [Publish-PSResource]
, AggregateException
FullyQualifiedErrorId : StartUploadBlobLocationError,Microsoft.PowerShell.PSResourceGet.Cmdlets.PublishPSResource
InvocationInfo        :
    MyCommand        : Publish-PSResource
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 40
    Line             : Publish-PSResource -Repository <RepoName> -Path <PathToModuleFiles> -Verbose
    Statement        : Publish-PSResource -Repository <RepoName> -Path <PathToModuleFiles> -Verbose
    PositionMessage  : At line:1 char:1
                       + Publish-PSResource -Repository <RepoName> -Path "$env:UserProfil …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Publish-PSResource
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :
      0
      1

Environment data

- PSResourceGet version: 1.1.1.1
- Azure Container Registry with anonymousPull = true and Private Endpoint enabled
- Account has active ArcPush role
- Get-Host

Name             : ConsoleHost
Version          : 7.5.4
InstanceId       : e0061f15-1059-417f-bc00-c593e232dbde
UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture   : nl-NL
CurrentUICulture : nl-NL
PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace         : System.Management.Automation.Runspaces.LocalRunspace

Visuals

No response

[SydneyhSmith]

@diablo668 we made a bunch of updates to authentication in the 1.2 previews, could you see if it repros with the latest 1.2 version? Thanks!!

[diablo668]

No difference in this behavior with 1.2.0 preview4 (currently the latest in the Powershell Gallery):