Merge branch 'dev' into trisavo/dnl-warnings

Author: trisavo-msft

src/azure-cli-core/azure/cli/core/auth/binary_cache.py

@@ -42,10 +42,11 @@ def load(self):
         logger.debug("load: %s", self.filename)
         try:
             self.data = self._load()
-        except (pickle.UnpicklingError, EOFError) as ex:
-            # We still get exception after retry:
+        except Exception as ex:  # pylint: disable=broad-exception-caught
+            # If we still get exception after retry, ignore all types of exceptions and use a new cache.
             # - pickle.UnpicklingError is caused by corrupted cache file, perhaps due to concurrent writes.
             # - EOFError is caused by empty cache file created by other az instance, but hasn't been filled yet.
+            # - AttributeError is caused by reading cache generated by different MSAL versions.
             logger.debug("Failed to load cache: %s. Using a fresh one.", ex)
             self.data = {}  # Ignore a non-existing or corrupted http_cache
 

src/azure-cli-core/azure/cli/core/cloud.py

@@ -583,6 +583,7 @@ def get_clouds(cli_ctx):
     except configparser.MissingSectionHeaderError:
         os.remove(CLOUD_CONFIG_FILE)
         logger.warning("'%s' is in bad format and has been removed.", CLOUD_CONFIG_FILE)
+    active_cloud_name = get_active_cloud_name(cli_ctx)
     for section in config.sections():
         c = Cloud(section)
         for option in config.options(section):
@@ -602,19 +603,20 @@ def get_clouds(cli_ctx):
                 "2019-03-01-hybrid",
                 "2020-09-01-hybrid",
             ):
-                logger.error(
-                    "The azure stack profile '%s' has been deprecated and removed, using the 'latest' profile instead.\n"
-                    "To continue using Azure Stack, please install the Azure CLI `2.66.*` (LTS) version. For more details, refer to: https://learn.microsoft.com/en-us/cli/azure/whats-new-overview#important-notice-for-azure-stack-hub-customers", c.profile
-                )
-                c.profile = 'latest'
+                if c.name == active_cloud_name:
+                    # only apply to the active cloud
+                    logger.error(
+                        "The azure stack profile '%s' has been deprecated and removed, using the 'latest' profile instead.\n"
+                        "To continue using Azure Stack, please install the Azure CLI `2.66.*` (LTS) version. For more details, refer to: https://learn.microsoft.com/en-us/cli/azure/whats-new-overview#important-notice-for-azure-stack-hub-customers", c.profile
+                    )
+                    c.profile = 'latest'
             else:
                 raise CLIError('Profile {} does not exist or is not supported.'.format(c.profile))
         if not c.endpoints.has_endpoint_set('management') and \
                 c.endpoints.has_endpoint_set('resource_manager'):
             # If management endpoint not set, use resource manager endpoint
             c.endpoints.management = c.endpoints.resource_manager
         clouds.append(c)
-    active_cloud_name = get_active_cloud_name(cli_ctx)
     for c in clouds:
         if c.name == active_cloud_name:
             c.is_active = True

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -195,10 +195,10 @@ def default_api_version(self):
             'provider_operations_metadata': '2018-01-01-preview'
         }),
         ResourceType.MGMT_CONTAINERREGISTRY: SDKProfile('2025-03-01-preview', {
-            'agent_pools': '2019-06-01-preview',
-            'tasks': '2019-06-01-preview',
-            'task_runs': '2019-06-01-preview',
-            'runs': '2019-06-01-preview',
+            'agent_pools': '2025-03-01-preview',
+            'tasks': '2025-03-01-preview',
+            'task_runs': '2025-03-01-preview',
+            'runs': '2025-03-01-preview',
             'network_rule': '2021-08-01-preview',
             'cache_rules': '2023-01-01-preview',
             'credential_sets': '2023-01-01-preview'

src/azure-cli/azure/cli/command_modules/acr/_client_factory.py

@@ -12,6 +12,7 @@
 VERSION_2022_02_01_PREVIEW = "2022-02-01-preview"
 VERSION_2023_01_01_PREVIEW = "2023-01-01-preview"
 VERSION_2024_11_01_PREVIEW = "2024-11-01-preview"
+VERSION_2025_03_01_PREVIEW = "2025-03-01-preview"
 
 
 def get_acr_service_client(cli_ctx, api_version=None):
@@ -38,7 +39,7 @@ def cf_acr_network_rules(cli_ctx, *_):
 
 
 def cf_acr_registries_tasks(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, api_version=VERSION_2019_06_01_PREVIEW).registries
+    return get_acr_service_client(cli_ctx, api_version=VERSION_2025_03_01_PREVIEW).registries
 
 
 def cf_acr_replications(cli_ctx, *_):
@@ -54,15 +55,15 @@ def cf_acr_private_endpoint_connections(cli_ctx, *_):
 
 
 def cf_acr_tasks(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).tasks
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).tasks
 
 
 def cf_acr_taskruns(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).task_runs
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).task_runs
 
 
 def cf_acr_runs(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).runs
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).runs
 
 
 def cf_acr_scope_maps(cli_ctx, *_):
@@ -78,7 +79,7 @@ def cf_acr_token_credentials(cli_ctx, *_):
 
 
 def cf_acr_agentpool(cli_ctx, *_):
-    return get_acr_service_client(cli_ctx, VERSION_2019_06_01_PREVIEW).agent_pools
+    return get_acr_service_client(cli_ctx, VERSION_2025_03_01_PREVIEW).agent_pools
 
 
 def cf_acr_connected_registries(cli_ctx, *_):

src/azure-cli/azure/cli/command_modules/acr/_help.py

@@ -37,6 +37,9 @@
   - name: Queue a local context as a Linux build on arm/v7 architecture, tag it, and push it to the registry.
     text: >
         az acr build -t sample/hello-world:{{.Run.ID}} -r myregistry . --platform linux/arm/v7
+  - name: Queue a local context as a Linux build, tag it, and push it to the ABAC-based Repository Permission enabled registry and use the caller's Entra identity to authenticate with the source registry.
+    text: >
+        az acr build -t sample/hello-world:{{.Run.ID}} -r myregistry . --source-acr-auth-id [caller]
 """
 
 helps['acr check-health'] = """
@@ -812,6 +815,9 @@
   - name: Queue a remote OCI Artifact context and runs the task.
     text: >
         az acr run -r myregistry oci://myregistry.azurecr.io/myartifact:mytag -f hello-world.yaml
+  - name: Queue a run to execute a container command in an ABAC-based Repository Permission enabled registry and use the caller's Entra identity to authenticate with the source registry.
+    text: >
+        az acr run -r myregistry --cmd '$Registry/myimage' /dev/null --source-acr-auth-id [caller]
 """
 
 helps['acr scope-map'] = """
@@ -941,12 +947,22 @@
         az acr task create -t acb:{{.Run.ID}} -n acb-win -r myregistry \\
             -c https://github.com/Azure/acr-builder.git -f Windows.Dockerfile \\
             --commit-trigger-enabled false --platform Windows/amd64
-  - name: Create a Linux multi-step task from a public GitHub repository with with both system-assigned and user-assigned managed identities and base image, git commit, pull request, and timer triggers that run the task at noon on Mondays through Fridays with the timer trigger name provided.
+  - name: Create a Linux multi-step task from a public GitHub repository with both system-assigned and user-assigned managed identities and base image, git commit, pull request, and timer triggers that run the task at noon on Mondays through Fridays with the timer trigger name provided.
     text: |
         az acr task create -t hello-world:{{.Run.ID}} -n hello-world -r myregistry \\
             --pull-request-trigger-enabled true --schedule "dailyTimer:0 12 * * Mon-Fri" \\
             -c https://github.com/Azure-Samples/acr-tasks.git#:multipleRegistries -f testtask.yaml \\
             --assign-identity [system] "/subscriptions/<subscriptionId>/resourcegroups/<myResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentitiy>"
+  - name: Create a task without the source location in an ABAC-based Repository Permission registry and specify a system-assigned managed identity used for auth with the source registry.
+    text: >
+        az acr task create -n hello-world -r myregistry --cmd '$Registry/myimage' -c /dev/null --source-acr-auth-id [system]
+  - name: Create a task without the source location in an ABAC-based Repository Permission registry and specify a user-assigned managed identity used for auth with the source registry.
+    text: >
+        az acr task create -n hello-world -r myregistry --cmd '$Registry/myimage' -c /dev/null --source-acr-auth-id "/subscriptions/<subscriptionId>/resourcegroups/<myResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentitiy>"
+  - name: Create a task without the source location in an ABAC-based Repository Permission registry with both system-assigned and user-assigned managed identities, and specify the system-assigned managed identity used for auth with the source registry.
+    text: |
+        az acr task create -n hello-world -r myregistry --cmd '$Registry/myimage' -c /dev/null --source-acr-auth-id [system]
+            --assign-identity [system] "/subscriptions/<subscriptionId>/resourcegroups/<myResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentitiy>"
 """
 
 helps['acr task credential'] = """
@@ -1220,6 +1236,12 @@
         az acr task update --image MyImage --name MyTask --registry myregistry \\
             --context https://github.com/Azure-Samples/acr-build-helloworld-node.git
     crafted: true
+  - name: Update the task using the system-assigned managed identity for authentication with the source registry in Azure Container Registry.
+    text: >
+        az acr task update -n MyTask -r myregistry --source-acr-auth-id [system]
+  - name: Update the task using the user-assigned managed identity for authentication with the source registry in Azure Container Registry.
+    text: >
+        az acr task update -n MyTask -r myregistry --source-acr-auth-id "/subscriptions/<subscriptionId>/resourcegroups/<myResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentitiy>"
 """
 
 helps['acr task update-run'] = """

src/azure-cli/azure/cli/command_modules/acr/_params.py

@@ -315,6 +315,7 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
         c.argument('set_secret', help="Secret value in '--set name[=value]' format. Multiples supported by passing --set multiple times.", action='append', validator=validate_set_secret)
         c.argument('agent_pool_name', options_list=['--agent-pool'], help='The name of the agent pool.', is_preview=True)
         c.argument('log_template', options_list=['--log-template'], help="The repository and tag template for run log artifact using the format: 'log/repo:tag' (e.g., 'acr/logs:{{.Run.ID}}'). Only applicable to CMK enabled registry.", is_preview=True)
+        c.argument('source_acr_auth_id', is_preview=True, arg_type=get_enum_type(["[caller]", "none"]), help="Assign the identity used for source registry login. Use '[caller]' for caller identity.")
 
     with self.argument_context('acr pack build') as c:
         c.argument('registry_name', options_list=['--registry', '-r'])
@@ -334,6 +335,7 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
         c.argument('secret_arg', options_list=['--secret-build-arg'], help="Secret build argument in '--secret-build-arg name[=value]' format. Multiples are supported by passing '--secret-build-arg name[=value]' multiple times. This parameter value is not surfaced to the ACR team and is more suitable for sensitive information.", action='append', validator=validate_secret_arg)
         c.argument('agent_pool_name', options_list=['--agent-pool'], help='The name of the agent pool.', is_preview=True)
         c.argument('log_template', options_list=['--log-template'], help="The repository and tag template for run log artifact using the format: 'log/repo:tag' (e.g., 'acr/logs:{{.Run.ID}}'). Only applicable to CMK enabled registry.", is_preview=True)
+        c.argument('source_acr_auth_id', is_preview=True, arg_type=get_enum_type(["[caller]", "none"]), help="Assign the identity used for source registry login. Use '[caller]' for caller identity.")
 
     with self.argument_context('acr task') as c:
         c.argument('registry_name', options_list=['--registry', '-r'])
@@ -376,16 +378,20 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
         c.argument('cpu', type=int, help='The CPU configuration in terms of number of cores required for the run.')
 
         # MSI parameter
-        c.argument('assign_identity', nargs='*', help="Assigns managed identities to the task. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned identity. Please see https://aka.ms/acr/tasks/task-create-managed-identity for more information.")
+        c.argument('assign_identity', nargs='*', help="Assign managed identities to the task. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned identity. Please see https://aka.ms/acr/tasks/task-create-managed-identity for more information.")
 
         # Agent Pool Parameter
         c.argument('agent_pool_name', options_list=['--agent-pool'], help='The name of the agent pool.', is_preview=True)
 
     with self.argument_context('acr task create') as c:
         c.argument('task_name', completer=None)
+        c.argument('source_acr_auth_id', is_preview=True, help="Assign the managed identity used for source registry login. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned managed identity.")
+
+    with self.argument_context('acr task update') as c:
+        c.argument('source_acr_auth_id', is_preview=True, help="Assign the managed identity used for source registry login. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned managed identity.")
 
     with self.argument_context('acr task identity') as c:
-        c.argument('identities', options_list=['--identities'], nargs='*', help="Assigns managed identities to the task. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned identity.")
+        c.argument('identities', options_list=['--identities'], nargs='*', help="Assign managed identities to the task. Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a user-assigned identity.")
 
     with self.argument_context('acr task credential') as c:
         # Custom registry credentials

src/azure-cli/azure/cli/command_modules/acr/_utils.py

@@ -32,6 +32,9 @@
 
 from ._archive_utils import upload_source_code, check_remote_source_code
 
+CALLER_IDENTITY_ALIAS = '[caller]'
+SYSTEM_ASSIGNED_IDENTITY_ALIAS = '[system]'
+
 logger = get_logger(__name__)
 
 
@@ -278,30 +281,59 @@ def get_yaml_template(cmd_value, timeout, file):
     return yaml_template
 
 
-def get_custom_registry_credentials(cmd,
-                                    auth_mode=None,
-                                    login_server=None,
-                                    username=None,
-                                    password=None,
-                                    identity=None,
-                                    is_remove=False):
+def get_source_and_custom_registry_credentials(cmd,
+                                               auth_mode=None,
+                                               login_server=None,
+                                               username=None,
+                                               password=None,
+                                               identity=None,
+                                               is_remove=False,
+                                               source_acr_auth_id=None,
+                                               registry_abac_enabled=False,
+                                               deprecate_auth_mode=False):
     """Get the credential object from the input
     :param str auth_mode: The login mode for the source registry
     :param str login_server: The login server of custom registry
     :param str username: The username for custom registry (plain text or a key vault secret URI)
     :param str password: The password for custom registry (plain text or a key vault secret URI)
     :param str identity: The task managed identity used for the credential
+    :param str source_acr_auth_id: the managed identity used for the source registry authentication
+    :param bool registry_abac_enabled: whether the registry is ABAC-enabled
+    :param bool deprecate_auth_mode: whether to print the auth mode deprecation warning
     """
     Credentials, CustomRegistryCredentials, SourceRegistryCredentials, SecretObject, \
         SecretObjectType = cmd.get_models(
             'Credentials', 'CustomRegistryCredentials', 'SourceRegistryCredentials', 'SecretObject',
             'SecretObjectType',
             operation_group='tasks')
 
+    if deprecate_auth_mode:
+        check_auth_mode_for_abac(registry_abac_enabled, auth_mode)
+
+    source_registry_identity = None
+    if source_acr_auth_id:
+        # "Default" and "None" are the allowed values for source registry auth mode.
+        # For a non-ABAC-enabled registry, "--source-acr-auth-id" will not take effect, and authentication
+        # will fail if the auth mode is "None". Therefore, we need to throw an error here.
+        if not registry_abac_enabled and auth_mode and auth_mode.lower() == "none":
+            raise CLIError('Error: Conflicting Authentication Parameters for Task Access to Source Registry. Task '
+                           'authentication mode for source registry access is set to "None", but an identity was '
+                           'provided for authentication. Remove the identity or update the authentication mode to '
+                           'resolve this conflict.')
+
+        if source_acr_auth_id.lower() == "none":
+            source_registry_identity = None
+        elif source_acr_auth_id.startswith('/subscriptions/'):  # user-assigned MI resource ID
+            source_registry_identity = resolve_identity_client_id(cmd.cli_ctx, source_acr_auth_id)
+        elif source_acr_auth_id == CALLER_IDENTITY_ALIAS or source_acr_auth_id == SYSTEM_ASSIGNED_IDENTITY_ALIAS:
+            source_registry_identity = source_acr_auth_id
+        else:
+            raise CLIError('Error: Invalid value for --source-acr-auth-id.')
+
     source_registry_credentials = None
-    if auth_mode:
+    if auth_mode or source_registry_identity:
         source_registry_credentials = SourceRegistryCredentials(
-            login_mode=auth_mode)
+            login_mode=auth_mode, identity=source_registry_identity)
 
     custom_registries = None
     if login_server:
@@ -606,3 +638,10 @@ def get_task_details_by_name(cli_ctx, resource_group_name, registry_name, task_n
     from ._client_factory import cf_acr_tasks
     client = cf_acr_tasks(cli_ctx)
     return client.get_details(resource_group_name, registry_name, task_name)
+
+
+def check_auth_mode_for_abac(registry_abac_enabled, auth_mode):
+    if registry_abac_enabled and auth_mode is not None:
+        logger.warning("The --auth-mode flag is deprecated for specifying access to an ABAC-enabled source registry. "
+                       "Please use --source-acr-auth-id to specify an Entra identity for use in accessing an "
+                       "ABAC-enabled source registry.")