What is the problem you're trying to solve
I am trying to purge from an ACR task on an ABAC-enabled registry. I have tried using system assigned and user assigned identities. The identities have role assignments for roles:
- Container Registry Repository Catalog Lister
- Container Registry Repository Contributor
I have not added any ABAC conditions for these role assignments.
The task is configured to use the identity.
System assigned identity
"credentials": {
"customRegistries": null,
"sourceRegistry": {
"identity": "[system]",
"loginMode": null
}
},User assigned identity
"credentials": {
"customRegistries": null,
"sourceRegistry": {
"identity": "cb6aba75-73d1-4142-9c98-0c2fc1595a5c",
"loginMode": null
}
},When the task runs it appears to log in to the registry OK, but fails to read repository metadata.
2026/04/09 12:42:20 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2026/04/09 12:42:21 Creating Docker network: acb_default_network, driver: 'bridge'
2026/04/09 12:42:21 Successfully set up Docker network: acb_default_network
2026/04/09 12:42:21 Setting up Docker configuration...
2026/04/09 12:42:21 Successfully set up Docker configuration
2026/04/09 12:42:21 Logging in to registry: myregistry.azurecr.io
2026/04/09 12:42:22 Successfully logged into myregistry.azurecr.io
2026/04/09 12:42:22 Executing step ID: acb_step_0. Timeout(sec): 3600, Working directory: '', Network: 'acb_default_network'
2026/04/09 12:42:22 Launching container with name: acb_step_0
Deleting tags for repository: 1234/test
Error: failed to purge tags: acr.BaseClient#GetAcrTags: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unknown" Message="Unknown service error" Details=[{"errors":[{"code":"UNAUTHORIZED","detail":[{"Action":"metadata_read","Name":"1234/test","Type":"repository"}],"message":"authentication required, visit https://aka.ms/acr/authorization for more information."}]}]
Failed to complete purge: failed to purge tags: acr.BaseClient#GetAcrTags: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unknown" Message="Unknown service error" Details=[{"errors":[{"code":"UNAUTHORIZED","detail":[{"Action":"metadata_read","Name":"1234/test","Type":"repository"}],"message":"authentication required, visit https://aka.ms/acr/authorization for more information."}]}]
Number of deleted tags: 0
Number of deleted manifests: 0
2026/04/09 12:42:22 Container failed during run: acb_step_0. No retries remaining.
failed to run step ID: acb_step_0: exit status 1
Run ID: cg10 failed after 4s. Error: failed during run, err: exit status 1
Describe the solution you'd like
Can we please have some clarity on whether this works or not? I have seen reports online that it does not work. I have seen PRs merged in the past month that might fix it. I'm not sure if these changes are available in ACR tasks yet.
Additional context
I have contacted Azure support, but no solutions provided.
What is the problem you're trying to solve
I am trying to purge from an ACR task on an ABAC-enabled registry. I have tried using system assigned and user assigned identities. The identities have role assignments for roles:
I have not added any ABAC conditions for these role assignments.
The task is configured to use the identity.
System assigned identity
User assigned identity
When the task runs it appears to log in to the registry OK, but fails to read repository metadata.
Describe the solution you'd like
Can we please have some clarity on whether this works or not? I have seen reports online that it does not work. I have seen PRs merged in the past month that might fix it. I'm not sure if these changes are available in ACR tasks yet.
Additional context
I have contacted Azure support, but no solutions provided.