Unable to authenticate to acr module registry with vs code (azure account)

[Jonatan-V]

Bicep version VS Code bicep extension v0.11.1

Describe the bug When I create a module that references another module in acr, i get auth error (see additional context) when i try to use VS Code (azure account extenstion). Using azure cli works as expected though.

To Reproduce Steps to reproduce the behavior: Create a module that references a module in acr ie:

module name 'br/RegistryName:modulename:1.0.0' = {
  name: '${deployment().name}-deployment'
  params: {
    name: name
  }
}

And bicepconfig.json:

{
  "cloud": {
    "currentProfile": "AzureCloud",
    "credentialPrecedence": [
      "VisualStudioCode"
    ]
  },
  "moduleAliases": {
    "br": {
      "RegistryName": {
        "registry": "registryname.azurecr.io",
        "modulePath": "bicep/modules"
      }
    }
  }
}

Additional context

Unable to restore the module with reference "br:crbmrkj2a7e24wccli.azurecr.io/bicep/modules/loganalyticsworkspace:0.0.1": Unhandled exception: Azure.Identity.CredentialUnavailableException: Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot
 ---> System.InvalidOperationException: CredRead has failed but error is unknown.
   at Azure.Identity.WindowsNativeMethods.ThrowIfFailed(Boolean isSucceeded, String methodName)
   at Azure.Identity.WindowsNativeMethods.CredRead(String target, CRED_TYPE type)
   at Azure.Identity.WindowsVisualStudioCodeAdapter.GetCredentials(String serviceName, String accountName)
   at Azure.Identity.VisualStudioCodeCredential.GetStoredCredentials(String environmentName)
   --- End of inner exception stack trace ---
   at Azure.Identity.ChainedTokenCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ChainedTokenCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetRefreshTokenFromCredentialAsync(TokenRequestContext context, String service, Boolean async, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRefreshTokenCache.GetAcrRefreshTokenAsync(HttpMessage message, TokenRequestContext context, String service, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryChallengeAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Containers.ContainerRegistry.ContainerRegistryRestClient.GetManifestAsync(String name, String reference, String accept, CancellationToken cancellationToken)
   at Azure.Containers.ContainerRegistry.Specialized.ContainerRegistryBlobClient.DownloadManifestAsync(DownloadManifestOptions options, CancellationToken cancellationToken)
   at Bicep.Core.Registry.AzureContainerRegistryManager.DownloadManifestAsync(OciArtifactModuleReference moduleReference, ContainerRegistryBlobClient client) in C:\__w\1\s\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 104
   at Bicep.Core.Registry.AzureContainerRegistryManager.PullArtifactAsync(RootConfiguration configuration, OciArtifactModuleReference moduleReference) in C:\__w\1\s\bicep\src\Bicep.Core\Registry\AzureContainerRegistryManager.cs:line 44
   at Bicep.Core.Registry.OciModuleRegistry.TryPullArtifactAsync(RootConfiguration configuration, OciArtifactModuleReference reference) in C:\__w\1\s\bicep\src\Bicep.Core\Registry\OciModuleRegistry.cs:line 206bicep(BCP192)

[alex-frankel]

Just to double check, are you signed into the "Azure Account" extension? Assuming yes, we will need to investigate this further.

[alex-frankel]

@bhsubra / @puicchan -- can you take a look at this one?

[Jonatan-V]

Just to double check, are you signed into the "Azure Account" extension? Assuming yes, we will need to investigate this further.

Yes I am indeed.

[bhsubra]

Thanks @Jonatan-V for reporting the issue.

This is currently blocked by https://github.com/Azure/azure-sdk-for-net/issues/27263. As a workaround, could you please try using azure cli for authentication?

cc: @puicchan, @alex-frankel, @shenglol

[gsuttie]

I am trying to get this working - is there a concrete example of what we need to use -

1. I am trying to reference an acr in a different tenant/subscription which I have access to using my work account.
2. I am logged into VS Code as my work account. I want to deploy to my own Azure subscription (non work related) referencing the bicep modules from the acr in step 1
3. Unable to restore the reference is what I see

Do we have a way of making this work at present? Thanks for any help.

[o-l-a-v]

@gsuttie

What seems to have worked for me was to do the following in the VS Code terminal, I used vscode-powershell with PowerShell v7.4.0.

az cache purge
az login --use-device-code
az account set --subscription <subscription_id_where_ACR_lives>

Then closed and reopened Visual Studio Code. Maybe >Bicep: Restore Bicep Modules (Force) can be used here, IDK.