Flowable Pipeline to Azure Container Registry: "aad access token with sp failed client id must be guid"

Question

I have a Azure Devops Pipeline where i want to build the flowable docker images.

The pipeline looks like this:

steps:
- script: |
    curl -L https://aka.ms/acr/installaad/bash | /bin/bash
  displayName: 'Install ACR Helper'

- task: AzureCLI@2
  inputs:
    azureSubscription: '**************'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: 'az acr login -n ****'

- script: |
    sed -i 's/<dependencies>/<dependencies>\r\n<!--mssql-->\r\n<dependency>\r\n<groupId>com.microsoft.sqlserver<\/groupId>\r\n<artifactId>mssql-jdbc<\/artifactId>\r\n<version>10.2.0.jre11<\/version>\r\n<\/dependency>\r\n<!--ghost-->/g' $(Build.SourcesDirectory)/modules/flowable-app-rest/pom.xml
    cat $(Build.SourcesDirectory)/modules/flowable-app-rest/pom.xml
    sed -i 's/<dependencies>/<dependencies>\r\n<!--mssql-->\r\n<dependency>\r\n<groupId>com.microsoft.sqlserver<\/groupId>\r\n<artifactId>mssql-jdbc<\/artifactId>\r\n<version>10.2.0.jre11<\/version>\r\n<\/dependency>\r\n<!--ghost-->/g' $(Build.SourcesDirectory)/modules/flowable-ui/flowable-ui-app/pom.xml
    cat $(Build.SourcesDirectory)/modules/flowable-ui/flowable-ui-app/pom.xml
    cat ~/.docker/config.json
    echo "Done"
  displayName: 'Fix pom files with sqlserver dependency'

- script: |
    mvn -Pdistro clean install -DskipTests
    cd modules/flowable-app-rest
    type pom.xml
    mvn -Pdocker,swagger,dockerPublish -DskipTests -Dimage=****.azurecr.io/flowable-app-rest -Djib.to.tags=$(Build.BuildId) clean package
    cd ../flowable-ui
    type pom.xml
    mvn -Pdocker,dockerPublish -DskipTests -Dimage=****.azurecr.io/flowable-ui -Djib.to.tags=$(Build.BuildId) clean package
  displayName: 'Launch Build All Images'

The pipeline compiles correctly, but when it comes to push the image to Azure Container Registry, it stops with the following error:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.6.0:build (default) on project flowable-ui-app: Build image failed, perhaps you should make sure your credentials for '****.azurecr.io/flowable-ui' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for ****.azurecr.io/flowable-ui: 401 Unauthorized
[ERROR] {"errors":[{"code":"UNAUTHORIZED","message":"aad access token with sp failed client id must be guid"}]}
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :flowable-ui-app
##[error]Bash exited with code '1'.

I tried to recreate the serviceconnection, but it does not solve the problem.

The ACR Login fase is succedding:

2022-07-07T16:45:58.4037264Z ##[section]Starting: AzureCLI
2022-07-07T16:45:58.4046609Z ==============================================================================
2022-07-07T16:45:58.4046945Z Task         : Azure CLI
2022-07-07T16:45:58.4047453Z Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
2022-07-07T16:45:58.4047940Z Version      : 2.198.0
2022-07-07T16:45:58.4048157Z Author       : Microsoft Corporation
2022-07-07T16:45:58.4048472Z Help         : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
2022-07-07T16:45:58.4048861Z ==============================================================================
2022-07-07T16:45:58.5554820Z [command]/usr/bin/az --version
2022-07-07T16:45:59.1728858Z WARNING: You have 2 updates available. Consider updating your CLI installation with 'az upgrade'
2022-07-07T16:45:59.1730459Z azure-cli                         2.32.0 *
2022-07-07T16:45:59.1818159Z 
2022-07-07T16:45:59.1819182Z Please let us know how we are doing: https://aka.ms/azureclihats
2022-07-07T16:45:59.1820888Z and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
2022-07-07T16:45:59.1821697Z 
2022-07-07T16:45:59.1822147Z core                              2.32.0 *
2022-07-07T16:45:59.1822655Z telemetry                          1.0.6
2022-07-07T16:45:59.1822876Z 
2022-07-07T16:45:59.1823225Z Extensions:
2022-07-07T16:45:59.1824086Z azure-devops                      0.22.0
2022-07-07T16:45:59.1824300Z 
2022-07-07T16:45:59.1824660Z Dependencies:
2022-07-07T16:45:59.1825084Z msal                              1.16.0
2022-07-07T16:45:59.1825843Z azure-mgmt-resource               20.0.0
2022-07-07T16:45:59.1826106Z 
2022-07-07T16:45:59.1826769Z Python location '/opt/az/bin/python3'
2022-07-07T16:45:59.1827587Z Extensions directory '/opt/az/azcliextensions'
2022-07-07T16:45:59.1827868Z 
2022-07-07T16:45:59.1828443Z Python (Linux) 3.6.10 (default, Dec 31 2021, 08:09:22) 
2022-07-07T16:45:59.1829049Z [GCC 9.3.0]
2022-07-07T16:45:59.1829254Z 
2022-07-07T16:45:59.1829747Z Legal docs and information: aka.ms/AzureCliLegal
2022-07-07T16:45:59.1830499Z 
2022-07-07T16:45:59.1830634Z 
2022-07-07T16:45:59.1834885Z Setting AZURE_CONFIG_DIR env variable to: /agent/_work/_temp/.azclitask
2022-07-07T16:45:59.1837370Z Setting active cloud to: AzureCloud
2022-07-07T16:45:59.1849702Z [command]/usr/bin/az cloud set -n AzureCloud
2022-07-07T16:46:00.5538312Z [command]/usr/bin/az login --service-principal -u *** --password=*** --tenant **** --allow-no-subscriptions
2022-07-07T16:46:01.3599665Z [
2022-07-07T16:46:01.3628560Z   {
2022-07-07T16:46:01.3635580Z     "cloudName": "AzureCloud",
2022-07-07T16:46:01.3637046Z     "homeTenantId": "****",
2022-07-07T16:46:01.3638023Z     "id": "****",
2022-07-07T16:46:01.3638553Z     "isDefault": true,
2022-07-07T16:46:01.3639172Z     "managedByTenants": [
2022-07-07T16:46:01.3639591Z       {
2022-07-07T16:46:01.3640420Z         "tenantId": "****"
2022-07-07T16:46:01.3640934Z       }
2022-07-07T16:46:01.3641340Z     ],
2022-07-07T16:46:01.3641827Z     "name": "****",
2022-07-07T16:46:01.3642399Z     "state": "Enabled",
2022-07-07T16:46:01.3643257Z     "tenantId": "***",
2022-07-07T16:46:01.3643758Z     "user": {
2022-07-07T16:46:01.3645145Z       "name": "***",
2022-07-07T16:46:01.3645632Z       "type": "servicePrincipal"
2022-07-07T16:46:01.3646037Z     }
2022-07-07T16:46:01.3646401Z   }
2022-07-07T16:46:01.3646764Z ]
2022-07-07T16:46:01.3690101Z [command]/usr/bin/az account set --subscription 1aa6ffe6-1468-45f2-a682-6000a1b7ef28
2022-07-07T16:46:01.6346487Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/agent/_work/_temp/azureclitaskscript1657212358546.ps1'
2022-07-07T16:46:03.1390154Z Login Succeeded
2022-07-07T16:46:03.5027810Z [command]/usr/bin/az account clear
2022-07-07T16:46:03.8731846Z ##[section]Finishing: AzureCLI

Any help is appreciated.

Answer 1

From your YAML sample and the log, you are using Azure CLI task to login in the ACR.

But you can check the log of Azure CLI task. It contains the steps:

[command]/usr/bin/az account clear

This means that the credentials will be cleared when the Azure CLI task completing.

It will not be passed to the next tasks. This is the root cause of the issue.

You can use script or bash task to execute the az acr login command. Then the credentials will be pass to next tasks.

To use the existing Service Principal, you can use the following example:

steps:
…
- task: AzureCLI@2
  displayName: 'Azure CLI '
  inputs:
    azureSubscription: xx
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
     echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId" 
     
     echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$servicePrincipalKey"
    
     echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
    addSpnToEnvironment: true

- bash: |
   az login --service-principal --username $(ARM_CLIENT_ID) --password $(ARM_CLIENT_SECRET)  --tenant $(ARM_TENANT_ID)'
   
   az acr login -n ****
  displayName: 'Bash Script'

Answer 2

I ended up pushing the image to the local docker repository and than use the specific Devops Task to push to the repository.

The new pipeline looks like this:

steps:
- script: |
    sed -i 's/<dependencies>/<dependencies>\r\n<!--mssql-->\r\n<dependency>\r\n<groupId>com.microsoft.sqlserver<\/groupId>\r\n<artifactId>mssql-jdbc<\/artifactId>\r\n<version>10.2.0.jre11<\/version>\r\n<\/dependency>\r\n<!--ghost-->/g' $(Build.SourcesDirectory)/modules/flowable-app-rest/pom.xml
    cat $(Build.SourcesDirectory)/modules/flowable-app-rest/pom.xml
    sed -i 's/<dependencies>/<dependencies>\r\n<!--mssql-->\r\n<dependency>\r\n<groupId>com.microsoft.sqlserver<\/groupId>\r\n<artifactId>mssql-jdbc<\/artifactId>\r\n<version>10.2.0.jre11<\/version>\r\n<\/dependency>\r\n<!--ghost-->/g' $(Build.SourcesDirectory)/modules/flowable-ui/flowable-ui-app/pom.xml
    cat $(Build.SourcesDirectory)/modules/flowable-ui/flowable-ui-app/pom.xml
    echo "Done"
  displayName: 'Fix pom files with sqlserver dependency'

- script: |
    mvn -Pdistro clean install -DskipTests
    cd modules/flowable-app-rest
    mvn -Pdocker,swagger -DskipTests -Dimage=***.azurecr.io/flowable-app-rest -Djib.to.tags=$(Build.BuildId) clean package 
    docker image ls 
  displayName: 'Launch Build flowable-app-rest'

- task: Docker@2
  inputs:
    containerRegistry: '***.azurecr.io'
    repository: 'flowable-app-rest'
    command: 'push'

- script: |
    cd modules/flowable-ui
    mvn -Pdocker -DskipTests -Dimage=***.azurecr.io/flowable-ui -Djib.to.tags=$(Build.BuildId) clean package
    docker image ls 
  displayName: 'Launch Build flowable-app-ui'

- task: Docker@2
  inputs:
    containerRegistry: '***'
    repository: 'flowable-ui'
    command: 'push'