Azure
[Bug Report]: Publishing to private bicep registry fails due to incorrect subscription context
Describe the bug
During the Publish Stage of a module pipeline execution and within the "Publish module to private bicep registry" task, if a Tenant contains more than one active subscription for the service principal, the first subscription in the list is selected for use. If the private bicep registry exists in a subscription other than what has been selected by default, the service principal attempts to execute the Publish script (Publish-ModuleToPrivateBicepRegistry.ps1) against an unintended subscription. In a scenario where the service principal does not have the necessary permissions on the selected subscription, an error results: e.g.
"Operation returned an invalid status code 'Forbidden"
We need to be able to set the context to the desired subscription.
To reproduce
Run a module pipeline with the settings.yml file configured to publish to a private bicep registry in a Tenant with multiple active subscriptions associated with the service principal. Ensure the private bicep registry is located in a subscription other than the first listed available subscription to the service principal.
Code snippet
From jobs.publishModule.yml (lines 246-247)
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:servicePrincipalId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $env:tenantId -Credential $Credential
Relevant log output
No response
I ran into this previously and added a additional variable for bicep_registry_subscription_id and a set-azcontext in the publish script. Maybe we can use something similar here and add it to the settings or secure variable group?
Using a subscriptionid variable in a variable group for the desired registry subscription and then setting context in the publish script was my workaround as well.
