Hello team! I am trying to create Service Endpoint on Azure with Managed Identity

example_service_endpoint_docker_registry = azuredevops.ServiceEndpointAzureEcr(
    "devRegistryDemo",
    authorization={
        "scheme": "ManagedServiceIdentity",
    },
    service_endpoint_name="devRegistryDemo",
    project_id=example_project.id,
    description="",
    azurecr_subscription_id="xxxx-xxxxxx-xxxxx",
    azurecr_subscription_name="dev",
    azurecr_spn_tenantid="XXXX-XXXX-XXX-XXX",
    azurecr_name="<http://XXXX.azurecr.io|XXXX.azurecr.io>",
    resource_group=""
)

but i get all the time

stderr: error: azuredevops:index/serviceEndpointAzureEcr:ServiceEndpointAzureEcr resource 'devRegistryDemo' has a problem: expected type of "authorization" to be string. Examine values at 'devRegistryDemo.authorization'.

any idea? and in the definition of authorization is

authorization: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,

thanks in advance!!!

"Azure Container Registry" specific Service connections don't yet support Workload identities (OIDC) – see comments here and here. What you can do as a workaround until then is to create a "generic" Azure service connection with azuredevops.ServiceEndpointAzureRM Setting auth scheme to:

service_endpoint_authentication_scheme*=*"WorkloadIdentityFederation",

If you want the associated service principal (which has the ADO OIDC federated credentials) to only have permissions to push/pull from ACR you'd only assign AcrPush / AcrPull roles – preferrably scoped down to the particular registry. What you then have to do to use this in your piplines is to add an AzureCLI task in your ADO pipeline before the Docker task to authenticate against the ACR with the AzureRM service connection. Here's a bash version of that... convert it to Powershell if this is a Windows runner...

- task: AzureCLI@2
    displayName: 'Azure Container Registry Login'
    inputs:
      azureSubscription: $(your-azurerm-oidc-service-connection)
      useGlobalConfig: true
      scriptType: 'bash'
      scriptLocation: inlineScript
      inlineScript: |
        az acr login --name $(your-registry)

And then you can build/push with the Docker task

- task: Docker@2
    displayName: Build
    inputs:
      command: build
      repository: ${{ parameters.your-registry }}/<your-container-repo>
      dockerfile: ...
      buildContext: ...
      tags: ...

Hello @adventurous-butcher-54166!! And thanks for the response, really good answer!!! So basically I don't need the

ServiceEndpointAzureRM

i can just use through AzureRM and give them permissions right? Thanks I will try!!! Thanks!!!