UnrecognizedClientException: The security token included in the request is invalid' when pushing ECR image

[xyfoo]

Describe the bug

Encounter 'UnrecognizedClientException: The security token included in the request is invalid' when try to push ECR image

To reproduce

1. Setup Azure DevOps service connection with only access key id & secret access key

2. Use 'Amazon ECR Push' Task

   - task: ECRPushImage@1
   displayName: "Push docker image to AWS ECR"
   inputs:
     awsCredentials: "$(aws_azdo_svc_connection)"
     regionName: "$(aws_region)"
     sourceImageName: "$(docker_image_name)"
     sourceImageTag: "latest"
     repositoryName: "$(ecr_repo_name)"
     pushTag: "latest"
     logRequest: true
     logResponse: true

3. Run pipeline

4. Task failed

==============================================================================
Configuring credentials for task
...configuring AWS credentials from service endpoint '{redacted}'
...endpoint defines standard access/secret key credentials
Configuring region for task
...configured to use region us-east-1, defined in task.
Pushing image '{redacted}:latest'
Obtaining authentication token for ECR login
##[error]Error: Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException: The security token included in the request is invalid
Finishing: Push docker image to AWS ECR

Expected behavior

Image will be pushed to ECR

Your Environment

• On-prem or cloud based?: Cloud
• Azure DevOps version: N/A
• AWS Toolkit for Azure DevOps version: 1.13.0 (Latest)

Additional context

• Credentials was provide via Azure DevOps service connection
• The IAM role has ecr.* permission assigned
• Repository policy. Tried remove it, still doesn't work.

  {
  "Version": "2008-10-17",
  "Statement": [
  {
    "Sid": "Permissions",
    "Effect": "Allow",
    "Principal": {
      "AWS": [
        "arn:aws:iam::{account-id}:user/{user-id}"
      ]
    },
    "Action": "ecr:*"
  }
  ]
  }

• I'm able to get auth token by running aws ecr get-authorization-token via CLI
• I'm able to push image manually by running aws ecr get-login-password -region us-east-1 | docker ... via CLI
• Updates (Apr 22)
  • It works when I setup the service connection with access key id, secret access key & session token from another account with identical permission set.

[xyfoo]

Closing this as the issue was caused by bug in Azure DevOps Service Connection. Reported separately as issue #466