Refactor ACR authentication to use Azure SDK TokenCredential

- Add LoginToRegistryAsync method to IContainerRuntime interface
- Implement LoginToRegistryAsync in ContainerRuntimeBase with stdin support
- Add StandardInputContent to ProcessSpec and update ProcessUtil to handle it
- Update FakeContainerRuntime for testing
- Refactor AzureEnvironmentResourceHelpers to use IContainerRuntime and ITokenCredentialProvider
- Use TokenCredential to acquire ACR access token (scope: https://containerregistry.azure.com/.default)
- Login with username 00000000-0000-0000-0000-000000000000 and token as password
- Add InternalsVisibleTo for Azure projects to access IContainerRuntime
- Remove duplicate shared file compile links from Azure projects
- Log process output with PipelineStepContext.Logger at debug level
- Throw exception on non-zero exit code to fail overall step

Co-authored-by: davidfowl <[email protected]>

Author: Copilot

src/Aspire.Hosting.Azure.AppContainers/Aspire.Hosting.Azure.AppContainers.csproj

@@ -9,7 +9,6 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <Compile Include="$(SharedDir)ResourceNameComparer.cs" LinkBase="Shared\ResourceNameComparer.cs" />
     <Compile Include="$(SharedDir)BicepFormattingHelpers.cs" LinkBase="Shared\BicepFormattingHelpers.cs" />
   </ItemGroup>
 

src/Aspire.Hosting.Azure.AppService/Aspire.Hosting.Azure.AppService.csproj

@@ -10,7 +10,6 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <Compile Include="$(SharedDir)ResourceNameComparer.cs" LinkBase="Shared\ResourceNameComparer.cs" />
     <Compile Include="$(SharedDir)BicepFormattingHelpers.cs" LinkBase="Shared\BicepFormattingHelpers.cs" />
   </ItemGroup>
 

src/Aspire.Hosting.Azure/Aspire.Hosting.Azure.csproj

@@ -10,12 +10,6 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <Compile Include="..\Aspire.Hosting\Dcp\Process\ProcessResult.cs" Link="Provisioning\Utils\ProcessResult.cs" />
-    <Compile Include="..\Aspire.Hosting\Dcp\Process\ProcessSpec.cs" Link="Provisioning\Utils\ProcessSpec.cs" />
-    <Compile Include="..\Aspire.Hosting\Dcp\Process\ProcessUtil.cs" Link="Provisioning\Utils\ProcessUtil.cs" />
-    <Compile Include="$(SharedDir)CustomResourceSnapshotExtensions.cs" Link="Provisioning\Utils\CustomResourceSnapshotExtensions.cs" />
-    <Compile Include="$(SharedDir)StringComparers.cs" Link="Provisioning\Utils\StringComparers.cs" />
-    <Compile Include="$(SharedDir)Model\KnownRelationshipTypes.cs" />
   </ItemGroup>
 
   <ItemGroup>

src/Aspire.Hosting.Azure/AzureEnvironmentResourceHelpers.cs

@@ -9,8 +9,9 @@
 using Aspire.Hosting.Dcp.Process;
 using Aspire.Hosting.Pipelines;
 using Aspire.Hosting.Publishing;
-using Microsoft.Extensions.Configuration;
+using Azure.Core;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Aspire.Hosting.Azure;
 
@@ -19,64 +20,86 @@ namespace Aspire.Hosting.Azure;
 /// </summary>
 internal static class AzureEnvironmentResourceHelpers
 {
+    private const string AcrUsername = "00000000-0000-0000-0000-000000000000";
+    private const string AcrScope = "https://containerregistry.azure.com/.default";
+
     public static async Task LoginToRegistryAsync(IContainerRegistry registry, PipelineStepContext context)
     {
-        var processRunner = context.Services.GetRequiredService<IProcessRunner>();
-        var configuration = context.Services.GetRequiredService<IConfiguration>();
+        var containerRuntime = context.Services.GetRequiredService<IContainerRuntime>();
+        var tokenCredentialProvider = context.Services.GetRequiredService<ITokenCredentialProvider>();
 
         var registryName = await registry.Name.GetValueAsync(context.CancellationToken).ConfigureAwait(false) ??
                          throw new InvalidOperationException("Failed to retrieve container registry information.");
+        
+        var registryEndpoint = await registry.Endpoint.GetValueAsync(context.CancellationToken).ConfigureAwait(false) ??
+                              throw new InvalidOperationException("Failed to retrieve container registry endpoint.");
 
         var loginTask = await context.ReportingStep.CreateTaskAsync($"Logging in to **{registryName}**", context.CancellationToken).ConfigureAwait(false);
         await using (loginTask.ConfigureAwait(false))
         {
-            await AuthenticateToAcrHelper(loginTask, registryName, context.CancellationToken, processRunner, configuration).ConfigureAwait(false);
+            await AuthenticateToAcrHelper(loginTask, registryEndpoint, containerRuntime, tokenCredentialProvider.TokenCredential, context.Logger, context.CancellationToken).ConfigureAwait(false);
         }
     }
 
-    private static async Task AuthenticateToAcrHelper(IReportingTask loginTask, string registryName, CancellationToken cancellationToken, IProcessRunner processRunner, IConfiguration configuration)
+    private static async Task AuthenticateToAcrHelper(IReportingTask loginTask, string registryEndpoint, IContainerRuntime containerRuntime, TokenCredential credential, ILogger logger, CancellationToken cancellationToken)
     {
-        var command = BicepCliCompiler.FindFullPathFromPath("az") ?? throw new InvalidOperationException("Failed to find 'az' command");
         try
         {
-            var loginSpec = new ProcessSpec(command)
-            {
-                Arguments = $"acr login --name {registryName}",
-                ThrowOnNonZeroReturnCode = false
-            };
+            // Acquire access token for Azure Container Registry
+            var tokenRequestContext = new TokenRequestContext([AcrScope]);
+            var accessToken = await credential.GetTokenAsync(tokenRequestContext, cancellationToken).ConfigureAwait(false);
 
-            // Set DOCKER_COMMAND environment variable if using podman
-            var containerRuntime = GetContainerRuntime(configuration);
-            if (string.Equals(containerRuntime, "podman", StringComparison.OrdinalIgnoreCase))
-            {
-                loginSpec.EnvironmentVariables["DOCKER_COMMAND"] = "podman";
-            }
+            logger.LogDebug("Logging in to registry {RegistryEndpoint} using container runtime {RuntimeName}", registryEndpoint, containerRuntime.Name);
 
-            var (pendingResult, processDisposable) = processRunner.Run(loginSpec);
-            await using (processDisposable.ConfigureAwait(false))
-            {
-                var result = await pendingResult.WaitAsync(cancellationToken).ConfigureAwait(false);
+            // Login to the registry using the container runtime with custom logging
+            await LoginToRegistryWithLoggingAsync(containerRuntime, registryEndpoint, AcrUsername, accessToken.Token, logger, cancellationToken).ConfigureAwait(false);
 
-                if (result.ExitCode != 0)
-                {
-                    await loginTask.FailAsync($"Login to ACR **{registryName}** failed with exit code {result.ExitCode}", cancellationToken: cancellationToken).ConfigureAwait(false);
-                }
-                else
-                {
-                    await loginTask.CompleteAsync($"Successfully logged in to **{registryName}**", CompletionState.Completed, cancellationToken).ConfigureAwait(false);
-                }
-            }
+            await loginTask.CompleteAsync($"Successfully logged in to **{registryEndpoint}**", CompletionState.Completed, cancellationToken).ConfigureAwait(false);
         }
-        catch (Exception)
+        catch (Exception ex)
         {
+            await loginTask.FailAsync($"Login to ACR **{registryEndpoint}** failed: {ex.Message}", cancellationToken: cancellationToken).ConfigureAwait(false);
             throw;
         }
     }
 
-    private static string? GetContainerRuntime(IConfiguration configuration)
+    private static async Task LoginToRegistryWithLoggingAsync(IContainerRuntime containerRuntime, string registryServer, string username, string password, ILogger logger, CancellationToken cancellationToken)
     {
-        // Fall back to known config names (primary and legacy)
-        return configuration["ASPIRE_CONTAINER_RUNTIME"] ?? configuration["DOTNET_ASPIRE_CONTAINER_RUNTIME"];
+        var arguments = $"login \"{registryServer}\" --username \"{username}\" --password-stdin";
+        
+        var spec = new ProcessSpec(containerRuntime is DockerContainerRuntime ? "docker" : "podman")
+        {
+            Arguments = arguments,
+            StandardInputContent = password,
+            OnOutputData = output =>
+            {
+                logger.LogDebug("{RuntimeName} login (stdout): {Output}", containerRuntime.Name, output);
+            },
+            OnErrorData = error =>
+            {
+                logger.LogDebug("{RuntimeName} login (stderr): {Error}", containerRuntime.Name, error);
+            },
+            ThrowOnNonZeroReturnCode = false,
+            InheritEnv = true
+        };
+        
+        logger.LogDebug("Running {RuntimeName} login to registry: {RegistryServer}", containerRuntime.Name, registryServer);
+        var (pendingProcessResult, processDisposable) = ProcessUtil.Run(spec);
+
+        await using (processDisposable)
+        {
+            var processResult = await pendingProcessResult
+                .WaitAsync(cancellationToken)
+                .ConfigureAwait(false);
+
+            if (processResult.ExitCode != 0)
+            {
+                logger.LogError("{RuntimeName} login to {RegistryServer} failed with exit code {ExitCode}.", containerRuntime.Name, registryServer, processResult.ExitCode);
+                throw new DistributedApplicationException($"{containerRuntime.Name} login failed with exit code {processResult.ExitCode}.");
+            }
+
+            logger.LogDebug("{RuntimeName} login to {RegistryServer} succeeded.", containerRuntime.Name, registryServer);
+        }
     }
 
     public static async Task PushImageToRegistryAsync(IContainerRegistry registry, IResource resource, PipelineStepContext context, IResourceContainerImageBuilder containerImageBuilder)

src/Aspire.Hosting/Aspire.Hosting.csproj

@@ -111,6 +111,9 @@
     <InternalsVisibleTo Include="Aspire.Hosting.Containers.Tests" />
     <InternalsVisibleTo Include="Aspire.TestUtilities" />
     <InternalsVisibleTo Include="Aspire.Cli.Tests" />
+    <InternalsVisibleTo Include="Aspire.Hosting.Azure" />
+    <InternalsVisibleTo Include="Aspire.Hosting.Azure.AppContainers" />
+    <InternalsVisibleTo Include="Aspire.Hosting.Azure.AppService" />
   </ItemGroup>
 
 </Project>

src/Aspire.Hosting/Dcp/Process/ProcessSpec.cs

@@ -16,6 +16,7 @@ internal sealed class ProcessSpec
     public Action<int>? OnStop { get; init; }
     public bool KillEntireProcessTree { get; init; } = true;
     public bool ThrowOnNonZeroReturnCode { get; init; } = true;
+    public string? StandardInputContent { get; init; }
 
     public ProcessSpec(string executablePath)
     {

src/Aspire.Hosting/Dcp/Process/ProcessUtil.cs

@@ -28,6 +28,7 @@ public static (Task<ProcessResult>, IAsyncDisposable) Run(ProcessSpec processSpe
                 Arguments = processSpec.Arguments,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
+                RedirectStandardInput = processSpec.StandardInputContent != null,
                 UseShellExecute = false,
                 CreateNoWindow = true,
                 WindowStyle = ProcessWindowStyle.Hidden,
@@ -91,6 +92,14 @@ public static (Task<ProcessResult>, IAsyncDisposable) Run(ProcessSpec processSpe
 #endif
 
             process.Start();
+            
+            // Write standard input if provided
+            if (processSpec.StandardInputContent != null)
+            {
+                process.StandardInput.WriteLine(processSpec.StandardInputContent);
+                process.StandardInput.Close();
+            }
+            
             process.BeginOutputReadLine();
             process.BeginErrorReadLine();
             processSpec.OnStart?.Invoke(process.Id);

src/Aspire.Hosting/Publishing/ContainerRuntimeBase.cs

@@ -76,6 +76,45 @@ await ExecuteContainerCommandAsync(
             imageName).ConfigureAwait(false);
     }
 
+    public virtual async Task LoginToRegistryAsync(string registryServer, string username, string password, CancellationToken cancellationToken)
+    {
+        var arguments = $"login \"{registryServer}\" --username \"{username}\" --password-stdin";
+        
+        var spec = new ProcessSpec(RuntimeExecutable)
+        {
+            Arguments = arguments,
+            StandardInputContent = password,
+            OnOutputData = output =>
+            {
+                _logger.LogDebug("{RuntimeName} (stdout): {Output}", RuntimeExecutable, output);
+            },
+            OnErrorData = error =>
+            {
+                _logger.LogDebug("{RuntimeName} (stderr): {Error}", RuntimeExecutable, error);
+            },
+            ThrowOnNonZeroReturnCode = false,
+            InheritEnv = true
+        };
+        
+        _logger.LogDebug("Running {RuntimeName} login to registry: {RegistryServer}", Name, registryServer);
+        var (pendingProcessResult, processDisposable) = ProcessUtil.Run(spec);
+
+        await using (processDisposable)
+        {
+            var processResult = await pendingProcessResult
+                .WaitAsync(cancellationToken)
+                .ConfigureAwait(false);
+
+            if (processResult.ExitCode != 0)
+            {
+                _logger.LogError("{RuntimeName} login to {RegistryServer} failed with exit code {ExitCode}.", Name, registryServer, processResult.ExitCode);
+                throw new DistributedApplicationException($"{Name} login failed with exit code {processResult.ExitCode}.");
+            }
+
+            _logger.LogInformation("{RuntimeName} login to {RegistryServer} succeeded.", Name, registryServer);
+        }
+    }
+
     /// <summary>
     /// Executes a container runtime command with standard logging and error handling.
     /// </summary>

src/Aspire.Hosting/Publishing/IContainerRuntime.cs

@@ -13,4 +13,5 @@ internal interface IContainerRuntime
     Task TagImageAsync(string localImageName, string targetImageName, CancellationToken cancellationToken);
     Task RemoveImageAsync(string imageName, CancellationToken cancellationToken);
     Task PushImageAsync(string imageName, CancellationToken cancellationToken);
+    Task LoginToRegistryAsync(string registryServer, string username, string password, CancellationToken cancellationToken);
 }

tests/Aspire.Hosting.Tests/Publishing/FakeContainerRuntime.cs

@@ -15,10 +15,12 @@ internal sealed class FakeContainerRuntime(bool shouldFail = false) : IContainer
     public bool WasRemoveImageCalled { get; private set; }
     public bool WasPushImageCalled { get; private set; }
     public bool WasBuildImageCalled { get; private set; }
+    public bool WasLoginToRegistryCalled { get; private set; }
     public List<(string localImageName, string targetImageName)> TagImageCalls { get; } = [];
     public List<string> RemoveImageCalls { get; } = [];
     public List<string> PushImageCalls { get; } = [];
     public List<(string contextPath, string dockerfilePath, string imageName, ContainerBuildOptions? options)> BuildImageCalls { get; } = [];
+    public List<(string registryServer, string username, string password)> LoginToRegistryCalls { get; } = [];
     public Dictionary<string, string?>? CapturedBuildArguments { get; private set; }
     public Dictionary<string, string?>? CapturedBuildSecrets { get; private set; }
     public string? CapturedStage { get; private set; }
@@ -79,4 +81,15 @@ public Task BuildImageAsync(string contextPath, string dockerfilePath, string im
         // For testing, we don't need to actually build anything
         return Task.CompletedTask;
     }
+
+    public Task LoginToRegistryAsync(string registryServer, string username, string password, CancellationToken cancellationToken)
+    {
+        WasLoginToRegistryCalled = true;
+        LoginToRegistryCalls.Add((registryServer, username, password));
+        if (shouldFail)
+        {
+            throw new InvalidOperationException("Fake container runtime is configured to fail");
+        }
+        return Task.CompletedTask;
+    }
 }