Tutorial: Fixing Docker Push/Pull Authorization Errors in Azure DevOps Pipelines

When working with Azure Container Registry (ACR) in Azure DevOps pipelines, you may encounter authorization errors when trying to push or pull Docker images. This tutorial provides multiple solutions to resolve these issues.

Service principal’s token expired

An issue that often arises with service principals or secrets that are automatically created is that the token expires and needs to be renewed. If you have an issue with refreshing the token, see Failed to obtain an access token or a valid refresh token wasn’t found.

If your token expired, you could see one of the error messages:

• AADSTS7000215: Invalid client secret is provided
• AADSTS7000222: The provided client secret keys for app '***' are expired
• Invalid client id or client secret

To renew the access token for an automatically created service principal or secret:

Option 1: Edit and Re-save the Existing Service Connection

Sometimes simply re-saving the existing service connection can resolve authentication issues:

1. Navigate to your Azure DevOps project
2. Click on “Project settings” in the bottom left corner
3. Select “Service connections” under the “Pipelines” section
4. Find the existing ACR connection that you’re using in your pipeline
5. Click on “Usage history” for that connection
6. Click “Edit” (don’t make any changes unless necessary)
7. Click “Save”

Note: Some users report that the save operation only works when following this specific path through the usage history rather than editing directly from the service connections list.

Option 2: Verify Service Principal Permissions

1. In the Azure Portal, navigate to your Container Registry
2. Go to “Access control (IAM)”
3. Check that your service principal has at least “AcrPush” role assigned
4. If not, click “Add role assignment” and assign the appropriate role

Option 3: Regenerate Service Connection Credentials

1. In Azure DevOps, go to Project Settings > Service Connections
2. Select your ACR service connection
3. Click “Edit”
4. Click “Verify connection” to test if it’s working
5. If verification fails, consider regenerating the credentials:

• In Azure Portal, go to Azure Active Directory
• Find the service principal used by your connection
• Under “Certificates & secrets”, create a new client secret
• Update the service connection with the new secret

Option 4: Use Azure CLI Authentication in Pipeline

As an alternative to service connections, you can authenticate directly in your pipeline:

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'Your-Azure-Subscription'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az acr login --name yourregistry.azurecr.io
      docker pull yourregistry.azurecr.io/yourimage:tag

Option 5: Check Pipeline Permissions

1. In Azure DevOps, go to your pipeline definition
2. Click on the three dots menu and select “Security”
3. Verify that the build service has permission to access the service connection
4. If not, grant permission to use the connection

Best Practices

• Always use managed identities when possible rather than secrets
• Regularly rotate credentials and update service connections
• Consider using task-based authentication for better security
• For production scenarios, implement credential scanning in your pipelines

By following one of these options, you should be able to resolve the unauthorized access issues when pushing or pulling Docker images from ACR in your Azure DevOps pipelines.

Reference: Pull and Push Docker Image task to ACR fails in Azure Devops Pipeline “unauthorized: Invalid clientid or client secret.” – Stack Overflow