[BUG]: HelmDeploy@1 ignores service connection identity and uses wrong service principal for Kubernetes operations

[darthmolen]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

HelmDeploy

Task version

1

Issue Description

Summary

The HelmDeploy@1 task with connectionType: 'Azure Resource Manager' correctly authenticates to Azure using the specified service connection but then uses a different identity (the ado project identity) when performing Kubernetes operations, ignoring the service connection's identity that has been granted appropriate Kubernetes RBAC permissions.

Environment

• Azure DevOps Hosted Agent (Ubuntu)
• HelmDeploy@1 version: 1.256.0
• AKS with Entra ID (Azure AD) integration enabled
• Service Connection using Workload Identity Federation

Steps to Reproduce

1. Create an AKS cluster with Entra ID integration
2. Create a service connection with Workload Identity Federation
3. Grant the service connection's service principal appropriate Kubernetes RBAC permissions
4. Use HelmDeploy@1 task with the service connection:

- task: HelmDeploy@1
  inputs:
    connectionType: 'Azure Resource Manager'
    azureSubscriptionEndpoint: 'my-service-connection'
    azureResourceGroup: 'my-resource-group'
    kubernetesCluster: 'my-aks-cluster'
    namespace: 'my-namespace'
    command: 'upgrade'
    chartName: 'my-chart'
    releaseName: 'my-release'

Expected Behavior

The task should use the service connection's identity (which has proper Kubernetes RBAC permissions) for all Kubernetes operations.

Actual Behavior

The task:

1. Successfully authenticates to Azure using the service connection (verified in logs)
2. Successfully retrieves kubeconfig via listClusterUserCredential API
3. BUG: Uses a different identity for Kubernetes operations, resulting in RBAC errors

##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param serviceprincipalid = ***
##[debug]Using msalv2
##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth scheme = WorkloadIdentityFederation

Logs

[command]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm upgrade --namespace wms-tasks-dev --install --values /azp/5/a/build-artifacts/azure/releases/dev-values.yaml --set image.buildNumber=20250617.4 --wait wms-tasks-dev oci://***/helm/dot-net-multi-host-app
Error: query: failed to query with labels: secrets is forbidden: User "c00f74a9-9758-423d-b855-5dd222e90d8e" cannot list resource "secrets" in API group "" in the namespace "wms-tasks-dev"

The error shows a different service principal ID (c00f74a9-9758-423d-b855-5dd222e90d8e) than the one specified in the service connection.

Impact

This bug prevents teams from using service connections with properly scoped Kubernetes RBAC permissions. It forces users to either:

1. Grant permissions to an identity they don't control
2. Use useClusterAdmin: true (security risk)
3. Abandon the task and use custom scripts

Root Cause Analysis

The task appears to use listClusterUserCredential which returns a generic kubeconfig instead of one authenticated with the service connection's identity. When using Entra ID integration, the task should ensure the kubeconfig uses the service connection's identity for Kubernetes authentication.

Suggested Fix

When connectionType: 'Azure Resource Manager' is used with an Entra ID-enabled AKS cluster:

1. The task should configure kubelogin to use the service connection's identity
2. Or provide an option to specify the authentication method (workloadidentity, spn, etc.)
3. At minimum, document this limitation clearly

15_Deploy Helm Chart (Azure Resource Manager).txt

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu 22.04

Relevant log output

2025-06-17T17:36:42.1999142Z ##[error]Error: query: failed to query with labels: secrets is forbidden: User "c00f74a9-9758-423d-b855-5dd222e90d8e" cannot list resource "secrets" in API group "" in the namespace "wms-tasks-dev": User does not have access to the resource in Azure. Update role assignment to allow access.

Full task logs with system.debug enabled

2025-06-17T17:36:37.9185522Z ##[debug]Evaluating condition for step: 'Deploy Helm Chart (Azure Resource Manager)' 2025-06-17T17:36:37.9186519Z ##[debug]Evaluating: SucceededNode() 2025-06-17T17:36:37.9186831Z ##[debug]Evaluating SucceededNode: 2025-06-17T17:36:37.9187301Z ##[debug]=> True 2025-06-17T17:36:37.9187637Z ##[debug]Result: True 2025-06-17T17:36:37.9187985Z ##[section]Starting: Deploy Helm Chart (Azure Resource Manager) 2025-06-17T17:36:37.9195001Z ============================================================================== 2025-06-17T17:36:37.9195151Z Task : Package and deploy Helm charts 2025-06-17T17:36:37.9195232Z Description : Deploy, configure, update a Kubernetes cluster in Azure Container Service by running helm commands 2025-06-17T17:36:37.9195381Z Version : 1.256.0 2025-06-17T17:36:37.9195450Z Author : Microsoft Corporation 2025-06-17T17:36:37.9195546Z Help : https://aka.ms/azpipes-helm-tsg 2025-06-17T17:36:37.9195626Z ============================================================================== 2025-06-17T17:36:38.0864829Z ##[debug]Agent environment resources - Disk: / Available 64726.73 MB out of 126841.92 MB, Memory: Used 5948.00 MB out of 32093.00 MB, CPU: Usage 12.99% 2025-06-17T17:36:39.8250862Z ##[debug]Using node path: /azp/externals/node20_1/bin/node 2025-06-17T17:36:39.9207478Z ##[debug]agent.TempDirectory=/azp/_temp 2025-06-17T17:36:39.9220523Z ##[debug]loading inputs and endpoints 2025-06-17T17:36:39.9223165Z ##[debug]loading INPUT_CONNECTIONTYPE 2025-06-17T17:36:39.9246115Z ##[debug]loading INPUT_AZURESUBSCRIPTIONENDPOINT 2025-06-17T17:36:39.9247306Z ##[debug]loading INPUT_AZURERESOURCEGROUP 2025-06-17T17:36:39.9249505Z ##[debug]loading INPUT_KUBERNETESCLUSTER 2025-06-17T17:36:39.9251948Z ##[debug]loading INPUT_USECLUSTERADMIN 2025-06-17T17:36:39.9253530Z ##[debug]loading INPUT_NAMESPACE 2025-06-17T17:36:39.9256006Z ##[debug]loading INPUT_COMMAND 2025-06-17T17:36:39.9258874Z ##[debug]loading INPUT_CHARTTYPE 2025-06-17T17:36:39.9263205Z ##[debug]loading INPUT_CHARTNAME 2025-06-17T17:36:39.9265720Z ##[debug]loading INPUT_CHARTPATH 2025-06-17T17:36:39.9270836Z ##[debug]loading INPUT_RELEASENAME 2025-06-17T17:36:39.9275057Z ##[debug]loading INPUT_OVERRIDEVALUES 2025-06-17T17:36:39.9277460Z ##[debug]loading INPUT_VALUEFILE 2025-06-17T17:36:39.9280443Z ##[debug]loading INPUT_DESTINATION 2025-06-17T17:36:39.9281816Z ##[debug]loading INPUT_CANARYIMAGE 2025-06-17T17:36:39.9284468Z ##[debug]loading INPUT_UPGRADETILLER 2025-06-17T17:36:39.9286427Z ##[debug]loading INPUT_UPDATEDEPENDENCY 2025-06-17T17:36:39.9288820Z ##[debug]loading INPUT_SAVE 2025-06-17T17:36:39.9290750Z ##[debug]loading INPUT_INSTALL 2025-06-17T17:36:39.9294195Z ##[debug]loading INPUT_RECREATE 2025-06-17T17:36:39.9299936Z ##[debug]loading INPUT_RESETVALUES 2025-06-17T17:36:39.9301237Z ##[debug]loading INPUT_FORCE 2025-06-17T17:36:39.9303046Z ##[debug]loading INPUT_WAITFOREXECUTION 2025-06-17T17:36:39.9304067Z ##[debug]loading INPUT_ENABLETLS 2025-06-17T17:36:39.9306457Z ##[debug]loading INPUT_FAILONSTDERR 2025-06-17T17:36:39.9307511Z ##[debug]loading INPUT_PUBLISHPIPELINEMETADATA 2025-06-17T17:36:39.9309812Z ##[debug]loading INPUT_CHARTPATHFORACR 2025-06-17T17:36:39.9311851Z ##[debug]loading ENDPOINT_AUTH_774094b1-d28f-4707-82d2-bdad7e4f4f8f 2025-06-17T17:36:39.9312614Z ##[debug]loading ENDPOINT_AUTH_SCHEME_774094b1-d28f-4707-82d2-bdad7e4f4f8f 2025-06-17T17:36:39.9314291Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_774094b1-d28f-4707-82d2-bdad7e4f4f8f_TENANTID 2025-06-17T17:36:39.9315630Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_774094b1-d28f-4707-82d2-bdad7e4f4f8f_WORKLOADIDENTITYFEDERATIONISSUERTYPE 2025-06-17T17:36:39.9316864Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_774094b1-d28f-4707-82d2-bdad7e4f4f8f_WORKLOADIDENTITYFEDERATIONISSUER 2025-06-17T17:36:39.9318071Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_774094b1-d28f-4707-82d2-bdad7e4f4f8f_WORKLOADIDENTITYFEDERATIONSUBJECT 2025-06-17T17:36:39.9319330Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_774094b1-d28f-4707-82d2-bdad7e4f4f8f_SCOPE 2025-06-17T17:36:39.9321061Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_774094b1-d28f-4707-82d2-bdad7e4f4f8f_SERVICEPRINCIPALID 2025-06-17T17:36:39.9323813Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION 2025-06-17T17:36:39.9324978Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION 2025-06-17T17:36:39.9326853Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN 2025-06-17T17:36:39.9342458Z ##[debug]loading SECRET_SYSTEM_ACCESSTOKEN 2025-06-17T17:36:39.9343004Z ##[debug]loading SECRET_CONTAINER_AUTHENTICATIONTOKEN 2025-06-17T17:36:39.9343495Z ##[debug]loading SECRET_POSTGRES-CONNECTIONSTRING 2025-06-17T17:36:39.9343937Z ##[debug]loaded 41 2025-06-17T17:36:39.9351965Z ##[debug]Agent.ProxyUrl=undefined 2025-06-17T17:36:39.9352487Z ##[debug]Agent.CAInfo=undefined 2025-06-17T17:36:39.9353080Z ##[debug]Agent.ClientCert=undefined 2025-06-17T17:36:39.9353539Z ##[debug]Agent.SkipCertValidation=undefined 2025-06-17T17:36:39.9655095Z ##[debug]namespace=wms-tasks-dev 2025-06-17T17:36:39.9999067Z ##[debug]agent.proxyurl=undefined 2025-06-17T17:36:39.9999757Z ##[debug]VSTS_ARM_REST_IGNORE_SSL_ERRORS=undefined 2025-06-17T17:36:40.0000322Z ##[debug]AZURE_HTTP_USER_AGENT=VSTS_b55063b0-e54b-43ed-9a52-42437b37ab17_build_212_0 2025-06-17T17:36:40.0013578Z ##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/xyz/ 2025-06-17T17:36:40.0014149Z ##[debug]System.HostType=build 2025-06-17T17:36:40.0014588Z ##[debug]System.DefaultWorkingDirectory=/azp/5/s 2025-06-17T17:36:40.0015046Z ##[debug]Build.SourceBranchName=main 2025-06-17T17:36:40.0015483Z ##[debug]Build.Repository.Provider=TfsGit 2025-06-17T17:36:40.0016009Z ##[debug]Build.Repository.Uri=https://xyz@dev.azure.com/xyz/X.Y.Z.Integration/_git/CSAT.IT.Dell.Wms.Tasks 2025-06-17T17:36:40.1334306Z ##[debug]namespace=wms-tasks-dev 2025-06-17T17:36:40.1334996Z ##[debug]check path : /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/task.json 2025-06-17T17:36:40.1338729Z ##[debug]adding resource file: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/task.json 2025-06-17T17:36:40.1339811Z ##[debug]system.culture=en-US 2025-06-17T17:36:40.1366958Z ##[debug]check path : /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.1367647Z ##[debug]adding resource file: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.1368176Z ##[debug]system.culture=en-US 2025-06-17T17:36:40.1412776Z ##[debug]command=upgrade 2025-06-17T17:36:40.1414632Z ##[debug]connectionType=Azure Resource Manager 2025-06-17T17:36:40.1416423Z ##[debug]connectionType=Azure Resource Manager 2025-06-17T17:36:40.1422695Z ##[debug]connectionType=Azure Resource Manager 2025-06-17T17:36:40.1425007Z ##[debug]azureSubscriptionEndpoint=774094b1-d28f-4707-82d2-bdad7e4f4f8f 2025-06-17T17:36:40.1425563Z ##[debug]kubernetesCluster=aks-x-preprod-002 2025-06-17T17:36:40.1426835Z ##[debug]azureResourceGroup=rg-x-preprod-002 2025-06-17T17:36:40.1429225Z ##[debug]useClusterAdmin=false 2025-06-17T17:36:40.1431530Z ##[debug]connectionType=Azure Resource Manager 2025-06-17T17:36:40.1433761Z ##[debug]azureSubscriptionEndpoint=774094b1-d28f-4707-82d2-bdad7e4f4f8f 2025-06-17T17:36:40.1468438Z ##[debug]agent.proxyurl=undefined 2025-06-17T17:36:40.1468963Z ##[debug]VSTS_ARM_REST_IGNORE_SSL_ERRORS=undefined 2025-06-17T17:36:40.1469469Z ##[debug]AZURE_HTTP_USER_AGENT=VSTS_b55063b0-e54b-43ed-9a52-42437b37ab17_build_212_0 2025-06-17T17:36:40.1491905Z ##[debug]Resource file has already set to: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.1492708Z ##[debug]Resource file has already set to: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.1493342Z ##[debug]Resource file has already set to: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.3044076Z ##[debug]Using msalv2 2025-06-17T17:36:40.3388857Z ##[debug]Resource file has already set to: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.3389598Z ##[debug]Agent.TempDirectory=/azp/_temp 2025-06-17T17:36:40.3390167Z ##[debug]Resource file has already set to: /azp/_tasks/HelmDeploy_afa7d54d-537b-4dc8-b60a-e0eeea2c9a87/1.256.0/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json 2025-06-17T17:36:40.3390706Z ##[debug]USE_MSAL=true 2025-06-17T17:36:40.3391159Z ##[debug]MSAL - USE_MSAL override is found: true 2025-06-17T17:36:40.3391656Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth scheme = WorkloadIdentityFederation 2025-06-17T17:36:40.3392186Z ##[debug]Overriding useMSAL to true as workloadidentityfederation supports only MSAL 2025-06-17T17:36:40.3392761Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data subscriptionid = 4887c6b8-af6f-4661-b403-8546fab2987f 2025-06-17T17:36:40.3393322Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data subscriptionname = delta-preprod-001 2025-06-17T17:36:40.3393970Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param serviceprincipalid = *** 2025-06-17T17:36:40.3394516Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data activeDirectoryAuthority = https://login.microsoftonline.com/ 2025-06-17T17:36:40.3395205Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param tenantid = e22c1771-6aa4-4202-8f83-5431ffed7d9d 2025-06-17T17:36:40.3395723Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f=https://management.azure.com/ 2025-06-17T17:36:40.3396235Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data environment = AzureCloud 2025-06-17T17:36:40.3396751Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth scheme = WorkloadIdentityFederation 2025-06-17T17:36:40.3397259Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data msiclientId = undefined 2025-06-17T17:36:40.3397831Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data activeDirectoryServiceEndpointResourceId = https://management.core.windows.net/ 2025-06-17T17:36:40.3399780Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data AzureKeyVaultServiceEndpointResourceId = https://vault.azure.net 2025-06-17T17:36:40.3400616Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data AzureKeyVaultDnsSuffix = vault.azure.net 2025-06-17T17:36:40.3401155Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data ScopeLevel = Subscription 2025-06-17T17:36:40.3401651Z ##[debug]MSAL - getEndpoint - useGraphActiveDirectoryResource=false 2025-06-17T17:36:40.3402102Z ##[debug]MSAL - getEndpoint - useMSAL=true 2025-06-17T17:36:40.3403033Z ##[debug]MSAL - getEndpoint - endpoint={"subscriptionID":"4887c6b8-af6f-4661-b403-8546fab2987f","subscriptionName":"delta-preprod-001","servicePrincipalClientID":"***","environmentAuthorityUrl":"https://login.microsoftonline.com/","tenantID":"e22c1771-6aa4-4202-8f83-5431ffed7d9d","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"WorkloadIdentityFederation","activeDirectoryResourceID":"https://management.core.windows.net/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription"} 2025-06-17T17:36:40.3403968Z ##[debug]MSAL - getEndpoint - connectedServiceName=774094b1-d28f-4707-82d2-bdad7e4f4f8f 2025-06-17T17:36:40.3404661Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param authenticationType = undefined 2025-06-17T17:36:40.3405243Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f data EnableAdfsAuthentication = false 2025-06-17T17:36:40.3405745Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param apitoken = undefined 2025-06-17T17:36:40.3407217Z ##[debug]{"subscriptionID":"4887c6b8-af6f-4661-b403-8546fab2987f","subscriptionName":"delta-preprod-001","servicePrincipalClientID":"***","environmentAuthorityUrl":"https://login.microsoftonline.com/","tenantID":"e22c1771-6aa4-4202-8f83-5431ffed7d9d","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"WorkloadIdentityFederation","activeDirectoryResourceID":"https://management.azure.com/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription","isADFSEnabled":false,"applicationTokenCredentials":{"connectedServiceName":"774094b1-d28f-4707-82d2-bdad7e4f4f8f","clientId":"***","tenantId":"e22c1771-6aa4-4202-8f83-5431ffed7d9d","baseUrl":"https://management.azure.com/","authorityUrl":"https://login.microsoftonline.com/","activeDirectoryResourceId":"https://management.azure.com/","isAzureStackEnvironment":false,"scheme":2,"isADFSEnabled":false,"useMSAL":true,"tokenMutex":{"_semaphore":{"_value":1,"_cancelError":{},"_weightedQueues":[],"_weightedWaiters":[]}}}} 2025-06-17T17:36:40.3408720Z ##[debug]Feature flag USE_AKS_CREDENTIAL_API = true 2025-06-17T17:36:40.3409206Z ##[debug]Kubernetes cluster aks-x-preprod-002, resource group rg-x-preprod-002. 2025-06-17T17:36:40.3421564Z ##[debug]MSAL - getMSALToken called. force=undefined 2025-06-17T17:36:40.3423548Z ##[debug]system.debug=True 2025-06-17T17:36:40.3424008Z ##[debug]system.debug=True 2025-06-17T17:36:40.3424452Z ##[debug]agent.proxyurl=undefined 2025-06-17T17:36:40.3424882Z ##[debug]agent.proxybypasslist=undefined 2025-06-17T17:36:40.3425675Z ##[debug]MSAL - FederatedAccess - OIDC is used. 2025-06-17T17:36:40.3426940Z ##[debug]System.TeamProjectId=dd5ad0fd-68b0-42c8-9b54-fd8a9f3d9ba4 2025-06-17T17:36:40.3427423Z ##[debug]System.HostType=build 2025-06-17T17:36:40.3427875Z ##[debug]System.PlanId=e8595a18-f060-4253-953b-779c1bc75e98 2025-06-17T17:36:40.3428351Z ##[debug]System.JobId=2caf16a4-be4b-5fa5-a387-5d6431e12d8e 2025-06-17T17:36:40.3428833Z ##[debug]System.CollectionUri=https://dev.azure.com/xyz/ 2025-06-17T17:36:40.3429323Z ##[debug]Getting credentials for local feeds 2025-06-17T17:36:40.3430483Z ##[debug]SYSTEMVSSCONNECTION exists true 2025-06-17T17:36:40.3430946Z ##[debug]Got auth token 2025-06-17T17:36:40.5806674Z ##[debug]Got OIDC token 2025-06-17T17:36:40.5819680Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Info - acquireTokenByClientCredential called 2025-06-17T17:36:40.5820311Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - initializeRequestScopes called 2025-06-17T17:36:40.5833229Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [39282d37-a2c6-4fdc-a269-c38ef31b448f] : @azure/msal-node@2.10.0 : Verbose - buildOauthClientConfiguration called 2025-06-17T17:36:40.5833928Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [39282d37-a2c6-4fdc-a269-c38ef31b448f] : @azure/msal-node@2.10.0 : Verbose - createAuthority called 2025-06-17T17:36:40.5840971Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Executing function authorityResolveEndpointsAsync 2025-06-17T17:36:40.5843756Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Retrieving all cache keys 2025-06-17T17:36:40.5844347Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.5847992Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Executing function authorityUpdateCloudDiscoveryMetadata 2025-06-17T17:36:40.5851706Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Attempting to get cloud discovery metadata from authority configuration 2025-06-17T17:36:40.5852331Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Known Authorities: 2025-06-17T17:36:40.5852887Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Authority Metadata: N/A 2025-06-17T17:36:40.5853476Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Canonical Authority: https://login.microsoftonline.com/e22c1771-6aa4-4202-8f83-5431ffed7d9d/ 2025-06-17T17:36:40.5854678Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values. 2025-06-17T17:36:40.5855697Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Found cloud discovery metadata from hardcoded values. 2025-06-17T17:36:40.5856553Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Returning result from authorityUpdateCloudDiscoveryMetadata 2025-06-17T17:36:40.5857677Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Executing function authorityUpdateEndpointMetadata 2025-06-17T17:36:40.5860092Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Attempting to get endpoint metadata from authority configuration 2025-06-17T17:36:40.5860901Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. 2025-06-17T17:36:40.5862125Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Returning result from authorityUpdateEndpointMetadata 2025-06-17T17:36:40.5864968Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Item key: authority-metadata-***-login.windows.net 2025-06-17T17:36:40.5865622Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.5866254Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Setting cache key value store 2025-06-17T17:36:40.5866860Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Returning result from authorityResolveEndpointsAsync 2025-06-17T17:36:40.5869963Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Replacing tenant domain name e22c1771-6aa4-4202-8f83-5431ffed7d9d with id {tenantid} 2025-06-17T17:36:40.5870730Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [39282d37-a2c6-4fdc-a269-c38ef31b448f] : @azure/msal-node@2.10.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/e22c1771-6aa4-4202-8f83-5431ffed7d9d/oauth2/v2.0/token. 2025-06-17T17:36:40.5873236Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Replacing tenant domain name e22c1771-6aa4-4202-8f83-5431ffed7d9d with id {tenantid} 2025-06-17T17:36:40.5878696Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Replacing tenant domain name e22c1771-6aa4-4202-8f83-5431ffed7d9d with id {tenantid} 2025-06-17T17:36:40.5884295Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [39282d37-a2c6-4fdc-a269-c38ef31b448f] : @azure/msal-node@2.10.0 : Verbose - Client credential client created 2025-06-17T17:36:40.5892800Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting in-memory cache 2025-06-17T17:36:40.5893490Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.5898200Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Replacing tenant domain name e22c1771-6aa4-4202-8f83-5431ffed7d9d with id {tenantid} 2025-06-17T17:36:40.5904265Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Item key: server-telemetry-*** 2025-06-17T17:36:40.5905091Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.5906793Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Verbose - Replacing tenant domain name e22c1771-6aa4-4202-8f83-5431ffed7d9d with id {tenantid} 2025-06-17T17:36:40.5907523Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [39282d37-a2c6-4fdc-a269-c38ef31b448f] : @azure/msal-common@14.13.0 : Info - Sending token request to endpoint: https://login.microsoftonline.com/e22c1771-6aa4-4202-8f83-5431ffed7d9d/oauth2/v2.0/token 2025-06-17T17:36:40.5910143Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Item key: throttling.{"clientId":"***","authority":"https://login.microsoftonline.com/e22c1771-6aa4-4202-8f83-5431ffed7d9d","scopes":["https://management.azure.com//.default"],"authenticationScheme":"Bearer"} 2025-06-17T17:36:40.5910841Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.8672473Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Item key: server-telemetry-*** 2025-06-17T17:36:40.8673211Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.8673814Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Item key: server-telemetry-*** 2025-06-17T17:36:40.8674356Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.8677025Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [39282d37-a2c6-4fdc-a269-c38ef31b448f] : @azure/msal-common@14.13.0 : Warning - No client info in response 2025-06-17T17:36:40.8685083Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting in-memory cache 2025-06-17T17:36:40.8685840Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.8688583Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Item key: -login.windows.net-accesstoken-***-e22c1771-6aa4-4202-8f83-5431ffed7d9d-https://management.azure.com//.default-- 2025-06-17T17:36:40.8689241Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Getting cache key-value store 2025-06-17T17:36:40.8689780Z ##[debug][Tue, 17 Jun 2025 17:36:40 GMT] : [] : @azure/msal-node@2.10.0 : Trace - Setting cache key value store 2025-06-17T17:36:40.8692842Z ##[debug]MSAL - retrieved token - isFromCache?: false 2025-06-17T17:36:40.8697174Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined 2025-06-17T17:36:40.8698425Z ##[debug][POST]https://management.azure.com/subscriptions/4887c6b8-af6f-4661-b403-8546fab2987f/resourceGroups/rg-x-preprod-002/providers/Microsoft.ContainerService/managedClusters/aks-x-preprod-002/listClusterUserCredential?api-version=2024-05-01 2025-06-17T17:36:41.0802518Z ##[debug]Correlation ID from ARM api call response : 1c9a9341-af0d-4827-8c21-d06d2eb96245 2025-06-17T17:36:41.0805812Z ##[debug]agent.tempDirectory=/azp/_temp 2025-06-17T17:36:41.0812781Z ##[debug]Kubeconfig file path: /azp/_temp/helmTask/1750181801080/config 2025-06-17T17:36:41.0818673Z ##[debug]which 'kubectl' 2025-06-17T17:36:41.0825666Z ##[debug]found: '/azp/_tool/kubectl/1.31.0/x64/kubectl' 2025-06-17T17:36:41.0826372Z ##[debug]agent.tempDirectory=/azp/_temp 2025-06-17T17:36:41.0828721Z ##[debug]which 'kubelogin' 2025-06-17T17:36:41.0830202Z ##[debug]found: '/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin' 2025-06-17T17:36:41.0831550Z ##[debug]Kubelogin is installed. Converting kubeconfig. 2025-06-17T17:36:41.0834893Z ##[debug]azureSubscriptionEndpoint=774094b1-d28f-4707-82d2-bdad7e4f4f8f 2025-06-17T17:36:41.0841711Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth scheme = WorkloadIdentityFederation 2025-06-17T17:36:41.0842317Z ##[debug]Kubelogin authentication scheme WorkloadIdentityFederation 2025-06-17T17:36:41.0843357Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param serviceprincipalid = *** 2025-06-17T17:36:41.0844276Z ##[debug]774094b1-d28f-4707-82d2-bdad7e4f4f8f auth param tenantid = e22c1771-6aa4-4202-8f83-5431ffed7d9d 2025-06-17T17:36:41.0846076Z ##[debug]System.JobId=2caf16a4-be4b-5fa5-a387-5d6431e12d8e 2025-06-17T17:36:41.0846577Z ##[debug]System.PlanId=e8595a18-f060-4253-953b-779c1bc75e98 2025-06-17T17:36:41.0847076Z ##[debug]System.TeamProjectId=dd5ad0fd-68b0-42c8-9b54-fd8a9f3d9ba4 2025-06-17T17:36:41.0848322Z ##[debug]System.HostType=build 2025-06-17T17:36:41.0848804Z ##[debug]System.CollectionUri=https://dev.azure.com/xyz/ 2025-06-17T17:36:41.0851119Z ##[debug]Getting credentials for local feeds 2025-06-17T17:36:41.0851644Z ##[debug]SYSTEMVSSCONNECTION exists true 2025-06-17T17:36:41.0852079Z ##[debug]Got auth token 2025-06-17T17:36:41.2174826Z ##[debug]set AZURE_CLIENT_ID=*** 2025-06-17T17:36:41.2176246Z ##[debug]Processed: ##vso[task.setvariable variable=AZURE_CLIENT_ID;isOutput=false;issecret=false;]*** 2025-06-17T17:36:41.2176776Z ##[debug]set AZURE_TENANT_ID=e22c1771-6aa4-4202-8f83-5431ffed7d9d 2025-06-17T17:36:41.2177450Z ##[debug]Processed: ##vso[task.setvariable variable=AZURE_TENANT_ID;isOutput=false;issecret=false;]e22c1771-6aa4-4202-8f83-5431ffed7d9d 2025-06-17T17:36:41.2178210Z ##[debug]set AZURE_FEDERATED_TOKEN_FILE=/azp/_temp/helmTask/1750181801082/id_token 2025-06-17T17:36:41.2179360Z ##[debug]Processed: ##vso[task.setvariable variable=AZURE_FEDERATED_TOKEN_FILE;isOutput=false;issecret=false;]/azp/_temp/helmTask/1750181801082/id_token 2025-06-17T17:36:41.2180012Z ##[debug]set AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/ 2025-06-17T17:36:41.2180693Z ##[debug]Processed: ##vso[task.setvariable variable=AZURE_AUTHORITY_HOST;isOutput=false;issecret=false;]https://login.microsoftonline.com/ 2025-06-17T17:36:41.2181286Z ##[debug]which '/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin' 2025-06-17T17:36:41.2181964Z ##[debug]found: '/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin' 2025-06-17T17:36:41.2182516Z ##[debug]/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin arg: convert-kubeconfig 2025-06-17T17:36:41.2183051Z ##[debug]/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin arg: ["-l","workloadidentity"] 2025-06-17T17:36:41.2183549Z ##[debug]System.Debug=True 2025-06-17T17:36:41.2184028Z ##[debug]/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin arg: ["--v","20"] 2025-06-17T17:36:41.2186974Z ##[debug]exec tool: /azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin 2025-06-17T17:36:41.2188064Z ##[debug]arguments: 2025-06-17T17:36:41.2188466Z ##[debug] convert-kubeconfig 2025-06-17T17:36:41.2188875Z ##[debug] -l 2025-06-17T17:36:41.2189261Z ##[debug] workloadidentity 2025-06-17T17:36:41.2189646Z ##[debug] --v 2025-06-17T17:36:41.2190039Z ##[debug] 20 2025-06-17T17:36:41.2191003Z [command]/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin convert-kubeconfig -l workloadidentity --v 20 2025-06-17T17:36:41.2369033Z I0617 17:36:41.236072 18028 convert.go:195] Context: , Login Method: workloadidentity, Environment: AzurePublicCloud, TenantID: e22c1771-6aa4-4202-8f83-5431ffed7d9d, ServerID: , ClientID: ***, IsLegacy: false, msiResourceID: , Timeout: 1m0s, authRecordCacheDir: /home/agent/.kube/cache/kubelogin/, tokenauthRecordFile: /home/agent/.kube/cache/kubelogin/auth.json, AZURE_CONFIG_DIR: 2025-06-17T17:36:41.2370817Z I0617 17:36:41.236158 18028 convert.go:205] Loading kubeconfig from /azp/_temp/helmTask/1750181801080/config 2025-06-17T17:36:41.2372007Z I0617 17:36:41.237036 18028 loader.go:395] Config loaded from file: /azp/_temp/helmTask/1750181801080/config 2025-06-17T17:36:41.2373940Z I0617 17:36:41.237154 18028 convert.go:227] context: "clusterUser_rg-x-preprod-002_aks-x-preprod-002" 2025-06-17T17:36:41.2374380Z I0617 17:36:41.237169 18028 convert.go:234] converting... 2025-06-17T17:36:41.2380495Z I0617 17:36:41.237733 18028 loader.go:395] Config loaded from file: /azp/_temp/helmTask/1750181801080/config 2025-06-17T17:36:41.2385953Z I0617 17:36:41.238212 18028 loader.go:395] Config loaded from file: /azp/_temp/helmTask/1750181801080/config 2025-06-17T17:36:41.2429993Z 2025-06-17T17:36:41.2433863Z ##[debug]Exit code 0 received from tool '/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin' 2025-06-17T17:36:41.2434890Z ##[debug]STDIO streams have closed for tool '/azp/_temp/040c21cd-2f79-43cd-8b48-5e84e18353d1/bin/linux_amd64/kubelogin' 2025-06-17T17:36:41.2445238Z ##[debug]which 'helm' 2025-06-17T17:36:41.2445971Z ##[debug]found: '/azp/_tool/helm/3.18.3/x64/linux-amd64/helm' 2025-06-17T17:36:41.2447042Z ##[debug]SYSTEM_JOBID=2caf16a4-be4b-5fa5-a387-5d6431e12d8e 2025-06-17T17:36:41.2450645Z ##[debug]failOnStderr=false 2025-06-17T17:36:42.1917683Z ##[debug]Processed: ##vso[telemetry.publish area=TaskEndpointId;feature=HelmDeployV1]{"connectionType":"Azure Resource Manager","command":"upgrade","jobId":"2caf16a4-be4b-5fa5-a387-5d6431e12d8e"} 2025-06-17T17:36:42.1919352Z Error: query: failed to query with labels: secrets is forbidden: User "c00f74a9-9758-423d-b855-5dd222e90d8e" cannot list resource "secrets" in API group "" in the namespace "wms-tasks-dev": User does not have access to the resource in Azure. Update role assignment to allow access. 2025-06-17T17:36:42.1921096Z ##[debug]tillernamespace=undefined 2025-06-17T17:36:42.1921591Z ##[debug]system.debug=True 2025-06-17T17:36:42.1922037Z ##[debug]chartType=Name 2025-06-17T17:36:42.1922487Z ##[debug]releaseName=wms-tasks-dev 2025-06-17T17:36:42.1922930Z ##[debug]overrideValues=image.buildNumber=20250617.11 2025-06-17T17:36:42.1923387Z ##[debug]namespace=wms-tasks-dev 2025-06-17T17:36:42.1923807Z ##[debug]waitForExecution=true 2025-06-17T17:36:42.1924218Z ##[debug]arguments=undefined 2025-06-17T17:36:42.1924684Z ##[debug]valueFile=/azp/5/a/build-artifacts/azure/releases/dev-values.yaml 2025-06-17T17:36:42.1925136Z ##[debug]install=true 2025-06-17T17:36:42.1925540Z ##[debug]recreate=false 2025-06-17T17:36:42.1925962Z ##[debug]resetValues=false 2025-06-17T17:36:42.1960976Z ##[debug]force=false 2025-06-17T17:36:42.1961501Z ##[debug]enableTls=false 2025-06-17T17:36:42.1961936Z ##[debug]System.DefaultWorkingDirectory=/azp/5/s 2025-06-17T17:36:42.1962530Z ##[debug]version=undefined 2025-06-17T17:36:42.1962993Z ##[debug]Pattern not found in file path /azp/5/a/build-artifacts/azure/releases/dev-values.yaml. 2025-06-17T17:36:42.1963610Z ##[debug]chartName=oci://***/helm/dot-net-multi-host-app 2025-06-17T17:36:42.1964573Z ##[debug]which '/azp/_tool/helm/3.18.3/x64/linux-amd64/helm' 2025-06-17T17:36:42.1965052Z ##[debug]found: '/azp/_tool/helm/3.18.3/x64/linux-amd64/helm' 2025-06-17T17:36:42.1965512Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: upgrade 2025-06-17T17:36:42.1966093Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: --namespace wms-tasks-dev 2025-06-17T17:36:42.1966577Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: --install 2025-06-17T17:36:42.1967061Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: --values 2025-06-17T17:36:42.1967563Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: "/azp/5/a/build-artifacts/azure/releases/dev-values.yaml" 2025-06-17T17:36:42.1968086Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: --set image.buildNumber=20250617.11 2025-06-17T17:36:42.1968588Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: --wait 2025-06-17T17:36:42.1969062Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: wms-tasks-dev 2025-06-17T17:36:42.1969704Z ##[debug]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm arg: oci://***/helm/dot-net-multi-host-app 2025-06-17T17:36:42.1970188Z ##[debug]exec tool: /azp/_tool/helm/3.18.3/x64/linux-amd64/helm 2025-06-17T17:36:42.1970637Z ##[debug]arguments: 2025-06-17T17:36:42.1971308Z ##[debug] upgrade 2025-06-17T17:36:42.1971727Z ##[debug] --namespace 2025-06-17T17:36:42.1972149Z ##[debug] wms-tasks-dev 2025-06-17T17:36:42.1972753Z ##[debug] --install 2025-06-17T17:36:42.1973151Z ##[debug] --values 2025-06-17T17:36:42.1973603Z ##[debug] /azp/5/a/build-artifacts/azure/releases/dev-values.yaml 2025-06-17T17:36:42.1974037Z ##[debug] --set 2025-06-17T17:36:42.1974470Z ##[debug] image.buildNumber=20250617.11 2025-06-17T17:36:42.1974881Z ##[debug] --wait 2025-06-17T17:36:42.1975283Z ##[debug] wms-tasks-dev 2025-06-17T17:36:42.1975763Z ##[debug] oci://***/helm/dot-net-multi-host-app 2025-06-17T17:36:42.1976506Z [command]/azp/_tool/helm/3.18.3/x64/linux-amd64/helm upgrade --namespace wms-tasks-dev --install --values /azp/5/a/build-artifacts/azure/releases/dev-values.yaml --set image.buildNumber=20250617.11 --wait wms-tasks-dev oci://***/helm/dot-net-multi-host-app 2025-06-17T17:36:42.1977060Z ##[debug]set helmExitCode=1 2025-06-17T17:36:42.1978235Z ##[debug]Processed: ##vso[task.setvariable variable=helmExitCode;isOutput=false;issecret=false;]1 2025-06-17T17:36:42.1978934Z ##[debug]publishPipelineMetadata=true 2025-06-17T17:36:42.1979734Z ##[debug]execResult: {"code":1,"stdout":"","stderr":"Error: query: failed to query with labels: secrets is forbidden: User \"c00f74a9-9758-423d-b855-5dd222e90d8e\" cannot list resource \"secrets\" in API group \"\" in the namespace \"wms-tasks-dev\": User does not have access to the resource in Azure. Update role assignment to allow access.\n"} 2025-06-17T17:36:42.1980925Z ##[debug]task result: Failed 2025-06-17T17:36:42.1999142Z ##[error]Error: query: failed to query with labels: secrets is forbidden: User "c00f74a9-9758-423d-b855-5dd222e90d8e" cannot list resource "secrets" in API group "" in the namespace "wms-tasks-dev": User does not have access to the resource in Azure. Update role assignment to allow access.

2025-06-17T17:36:42.2000289Z ##[debug]Processed: ##vso[task.issue type=error;source=TaskInternal;correlationId=9fb999ee-99a3-4b7e-a71c-7fbb462fb0dd;]Error: query: failed to query with labels: secrets is forbidden: User "c00f74a9-9758-423d-b855-5dd222e90d8e" cannot list resource "secrets" in API group "" in the namespace "wms-tasks-dev": User does not have access to the resource in Azure. Update role assignment to allow access.

2025-06-17T17:36:42.2002801Z ##[debug]Processed: ##vso[task.complete result=Failed;]Error: query: failed to query with labels: secrets is forbidden: User "c00f74a9-9758-423d-b855-5dd222e90d8e" cannot list resource "secrets" in API group "" in the namespace "wms-tasks-dev": User does not have access to the resource in Azure. Update role assignment to allow access.

2025-06-17T17:36:42.2003891Z ##[debug]connectionType=Azure Resource Manager
2025-06-17T17:36:42.2006225Z ##[section]Finishing: Deploy Helm Chart (Azure Resource Manager)

Repro steps

[v-dko]

@darthmolen can you help me with which RBAC permissions you have used in the service principal?
We have provided RBAC cluster admin permissions, and it is working as expected.

[v-dko]

@darthmolen can you help on above details