acr-tasks-trusted-service-build-with-local-source.md

Prepare

Create a placeholder task resource in the registry with the following acb.yaml and enable trusted service access to the registry. It is one-time setup.

• acb.yaml

version: v1.1.0
steps:
 - build: -t $Registry/{{.Values.image} -f {{.Values.dockerfile}} .
 - push:
    - $Registry/{{.Values.image}

• bash script to create the task and enable trusted service access

registry_name="myregistry"
task_name="mybuildtask"

echo "enable trusted service on registry: $registry_name"
registry_login_server=$(az acr update -n $registry_name --allow-trusted-services true --query "loginServer" -o tsv)
echo "registry login server: $registry_login_server"

echo "create task with system identity enabled: $task_name"
system_identity_principal=$(az acr task create -r $registry_name -n $task_name -f acb.yaml -c /dev/null --assign-identity [system] --auth-mode None --base-image-trigger-enabled false --query "identity.principalId" -o tsv)
echo "system identity principal: $system_identity_principal"

registry_resource_id=$(az acr show -n $registry_name --query "id" -o tsv)

echo "assign AcrPush role to the system ideneity for registry: $registry_resource_id"
az role assignment create --role AcrPush --assignee-object-id $system_identity_principal --assignee-principal-type ServicePrincipal --scope $registry_resource_id

echo "enable system identity login on registry: $registry_login_server"
az acr task credential add -r $registry_name -n $task_name --login-server $registry_login_server --use-identity [system]

Schedule the task run with the local source to build/push the image to the registry

registry_name="myregistry"
task_name="mybuildtask"

az acr task run -r $registry_name -n $task_name --set image=myrepo:mytag --set dockerfile=Dockerfile .