Skip to content

az acr repository update --name --image --write-enable false will update repo level metadata when missing image tag #31878

New issue
New issue
Open
Open
az acr repository update --name --image --write-enable false will update repo level metadata when missing image tag#31878
Assignees
FeynmanZhou
Labels
AADAuto-AssignAuto assign by botAuto-ResolveAuto resolve by botContainer Registryaz acrService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.
@coderdjw

Description

@coderdjw
coderdjw
opened on Jul 28, 2025

Describe the bug

az acr repository update --name --image --write-enable false will update repo level metadata when missing image tag, e.g. my intention is "<repoName>:<tagName>". But in some error cases, I only pass "<repoName>:", it will be translated to a repo level lock down, which is error prone. It is better we throw error in this case.

Image

Related command

az acr repository show --name <acrName> --repository <repoName>
az acr repository update --name <acrName> --image "<repoName>:" --write-enable false
az acr repository show --name <acrName> --repository <repoName> # repo will be mis-configured as write-enable=false.

Errors

az acr repository show --name <acrName> --repository <repoName>
az acr repository update --name <acrName> --image "<repoName>:" --write-enable false
az acr repository show --name <acrName> --repository <repoName> # repo will be mis-configured as write-enable=false.

Issue script & Debug output

az acr repository update --name "<-- ACR HIDDEN -->" --image "<-- REPO HIDDEN -->:" --write-enabled false --debug
az : DEBUG: cli.knack.cli: Command arguments: ['acr', 'repository', 'update', '--name', '<-- ACR HIDDEN -->', '--image', '<-- REPO HIDDEN -->:', '--write-enabled', 'false', '--debug']
At line:1 char:1

  • az acr repository update --name "<-- ACR HIDDEN -->" --image " ...
  •   + CategoryInfo          : NotSpecified: (DEBUG: cli.knac...se', '--debug']:String) [], RemoteException
  + FullyQualifiedErrorId : NativeCommandError

DEBUG: cli.knack.cli: init debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x01412A78>, <function OutputProducer.on_global_arguments at 0x01552668>, <function CLIQuery.on_global_arguments at 0x01572168>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'acr': ['azure.cli.command_modules.acr']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: acr 0.783 36 149
DEBUG: cli.azure.cli.core: Total (1) 0.783 36 149
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory
DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 36 groups, 149 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : acr repository update
DEBUG: cli.azure.cli.core: Command table: acr repository update
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x034B94D8>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Administrator.azure\commands\2025-07-28.15-36-16.acr_repository_update.39156.log'.
INFO: az_command_data_logger: command args: acr repository update --name {} --image {} --write-enabled {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x034DD0C8>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03526168>, <function register_cache_arguments..add_cache_arguments at 0x035260C8>, <function register_upcoming_breaking_change_info..upda
te_breaking_change_info at 0x035261B8>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x015526B8>, <function CLIQuery.handle_query_parameter at 0x015721B8>, <function register_ids_argument..parse_ids_arguments at 0x03526118>]
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\Administrator\.azure\msal_token_cache.bin', encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\Administrator.azure\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/token', 'token_endpoint_auth_meth
ods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwi
se'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd
011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://
login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/logout', 'claims_supp
orted': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsofton
line.com/<-- TENANT ID HIDDEN -->/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 74880b84-55b6-4bd2-8792-93b56a9dd56f
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<-- SUB HIDDEN -->/resources?$filter=resourceType%20eq%20%27Microsoft.ContainerRegistry%2Fregistries%27&api-version=2022-09-01'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8ad7aced-6b85-11f0-8731-e454e8df9e68'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'acr repository update'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --image --write-enabled --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.69.0 (MSI) azsdk-python-core/1.31.0 Python/3.12.8 (Windows-11-10.0.26100-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': ''
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/<-- SUB HIDDEN -->/resources?$filter=resourceType%20eq%20%27Microsoft.ContainerRegistry%2Fregistries%27&api-version=2022-09-01 HTTP/1.1" 200 5821
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '5821'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '1099'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '16499'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'a548e3a5-ac32-47e0-a9dc-8e8b1c60f518'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'a548e3a5-ac32-47e0-a9dc-8e8b1c60f518'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20250728T073617Z:a548e3a5-ac32-47e0-a9dc-8e8b1c60f518'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 5F40A0F4428F45C687B25F0D49CA2C15 Ref B: MAA201060514021 Ref C: 2025-07-28T07:36:17Z'
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 28 Jul 2025 07:36:16 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: <--- RESPONSE HIDDEN --->
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ContainerRegistryManagementClient
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/token', 'token_endpoint_auth_meth
ods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwi
se'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd
011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://
login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/logout', 'claims_supp
orted': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsofton
line.com/<-- TENANT ID HIDDEN -->/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: c117924e-913a-441a-a766-7c66f1a45d02
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<-- SUB HIDDEN -->/resourceGroups/devresources/providers/Microsoft.ContainerRegistry/registries/<-- ACR HIDDEN -->?api-version=2023-11-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8ad7aced-6b85-11f0-8731-e454e8df9e68'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'acr repository update'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --image --write-enabled --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.69.0 (MSI) azsdk-python-core/1.31.0 Python/3.12.8 (Windows-11-10.0.26100-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': ''
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/<-- SUB HIDDEN -->/resourceGroups/devresources/providers/Microsoft.ContainerRegistry/registries/<-- ACR HIDDEN -->?api-version=2023-11-01-preview HTTP/1.1" 200 1474
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '1474'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'api-supported-versions': '2023-11-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '1099'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '16499'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '46235e5e-310f-4cdc-8cca-cf1dba86f911'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '46235e5e-310f-4cdc-8cca-cf1dba86f911'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20250728T073619Z:46235e5e-310f-4cdc-8cca-cf1dba86f911'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: F1A787C9430E46FD924C4919B26B4132 Ref B: MAA201060515029 Ref C: 2025-07-28T07:36:18Z'
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 28 Jul 2025 07:36:18 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"sku":{"name":"Premium","tier":"Premium"},"type":"Microsoft.ContainerRegistry/registries","id":"/subscriptions/<-- SUB HIDDEN -->/resourceGroups/devresources/providers/Microsoft.ContainerRegistry/registries/<-- ACR HIDDEN -->","name":"<-- ACR HIDDEN -->","location":"eastus","tags":{},"systemData":{"createdBy":"<-- EMAIL HIDDEN -->","createdByType":"User","createdAt":"2024-05-22T03:14:47.721542+00:00","lastModifiedBy":"<-- EMAIL HIDDEN -->","lastModifiedByType":"User","lastModifiedAt":"2025-07-25T11:4
4:15.3971713+00:00"},"properties":{"loginServer":"<-- ACR HIDDEN -->.azurecr.io","creationDate":"2024-05-22T03:14:47.721542Z","provisioningState":"Succeeded","adminUserEnabled":false,"networkRuleSet":{"defaultAction":"Allow","ipRules":[]},"policies":{"quarantinePolicy":{"status":"
disabled"},"trustPolicy":{"type":"Notary","status":"disabled"},"retentionPolicy":{"days":7,"lastUpdatedTime":"2024-07-22T01:48:35.6253041+00:00","status":"disabled"},"exportPolicy":{"status":"enabled"},"azureADAuthenticationAsArmPolicy":{"status":"enabled"},"softDeletePolicy":{"retentio
nDays":1,"lastUpdatedTime":"2025-07-25T11:44:15.5860787+00:00","status":"enabled"}},"encryption":{"status":"disabled"},"dataEndpointEnabled":false,"dataEndpointHostNames":[],"privateEndpointConnections":[],"publicNetworkAccess":"Enabled","networkRuleBypassOptions":"AzureServices","zoneR
edundancy":"Disabled","anonymousPullEnabled":true,"metadataSearch":"Disabled"}}
DEBUG: cli.azure.cli.command_modules.acr._docker_utils: 2025-07-28 07:36:19.074133 Sending a HTTP Get request to https://<-- ACR HIDDEN -->.azurecr.io/v2/
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): <-- ACR HIDDEN -->.azurecr.io:443
DEBUG: urllib3.connectionpool: https://<-- ACR HIDDEN -->.azurecr.io:443 "GET /v2/ HTTP/1.1" 401 149
INFO: cli.azure.cli.command_modules.acr._docker_utils: Attempting to retrieve AAD refresh token...
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ContainerRegistryManagementClient
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/token', 'token_endpoint_auth_meth
ods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwi
se'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd
011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://
login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/logout', 'claims_supp
orted': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsofton
line.com/<-- TENANT ID HIDDEN -->/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 5b986c74-ed76-4592-9d29-972faad3f932
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<-- SUB HIDDEN -->/resourceGroups/devresources/providers/Microsoft.ContainerRegistry/registries/<-- ACR HIDDEN -->?api-version=2023-11-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8ad7aced-6b85-11f0-8731-e454e8df9e68'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'acr repository update'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --image --write-enabled --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.69.0 (MSI) azsdk-python-core/1.31.0 Python/3.12.8 (Windows-11-10.0.26100-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': ''
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/<-- SUB HIDDEN -->/resourceGroups/devresources/providers/Microsoft.ContainerRegistry/registries/<-- ACR HIDDEN -->?api-version=2023-11-01-preview HTTP/1.1" 200 1474
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '1474'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'api-supported-versions': '2023-11-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '1099'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '16499'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '95991536-f892-4fda-9b9b-bab144d695e4'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '95991536-f892-4fda-9b9b-bab144d695e4'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20250728T073621Z:95991536-f892-4fda-9b9b-bab144d695e4'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: C255D8E7C3F04966A56F32FEDC192FC0 Ref B: MAA201060513047 Ref C: 2025-07-28T07:36:20Z'
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 28 Jul 2025 07:36:20 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"sku":{"name":"Premium","tier":"Premium"},"type":"Microsoft.ContainerRegistry/registries","id":"/subscriptions/<-- SUB HIDDEN -->/resourceGroups/devresources/providers/Microsoft.ContainerRegistry/registries/<-- ACR HIDDEN -->","name":"<-- ACR HIDDEN -->","location":"eastus","tags":{},"systemData":{"createdBy":"<-- EMAIL HIDDEN -->","createdByType":"User","createdAt":"2024-05-22T03:14:47.721542+00:00","lastModifiedBy":"<-- EMAIL HIDDEN -->","lastModifiedByType":"User","lastModifiedAt":"2025-07-25T11:4
4:15.3971713+00:00"},"properties":{"loginServer":"<-- ACR HIDDEN -->.azurecr.io","creationDate":"2024-05-22T03:14:47.721542Z","provisioningState":"Succeeded","adminUserEnabled":false,"networkRuleSet":{"defaultAction":"Allow","ipRules":[]},"policies":{"quarantinePolicy":{"status":"
disabled"},"trustPolicy":{"type":"Notary","status":"disabled"},"retentionPolicy":{"days":7,"lastUpdatedTime":"2024-07-22T01:48:35.6253041+00:00","status":"disabled"},"exportPolicy":{"status":"enabled"},"azureADAuthenticationAsArmPolicy":{"status":"enabled"},"softDeletePolicy":{"retentio
nDays":1,"lastUpdatedTime":"2025-07-25T11:44:15.5860787+00:00","status":"enabled"}},"encryption":{"status":"disabled"},"dataEndpointEnabled":false,"dataEndpointHostNames":[],"privateEndpointConnections":[],"publicNetworkAccess":"Enabled","networkRuleBypassOptions":"AzureServices","zoneR
edundancy":"Disabled","anonymousPullEnabled":true,"metadataSearch":"Disabled"}}
DEBUG: cli.azure.cli.command_modules.acr._docker_utils: 2025-07-28 07:36:21.559786 Sending a HTTP Get request to https://<-- ACR HIDDEN -->.azurecr.io/v2/
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): <-- ACR HIDDEN -->.azurecr.io:443
DEBUG: urllib3.connectionpool: https://<-- ACR HIDDEN -->.azurecr.io:443 "GET /v2/ HTTP/1.1" 401 149
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/token', 'token_endpoint_auth_meth
ods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwi
se'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd
011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://
login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<-- TENANT ID HIDDEN -->/oauth2/v2.0/logout', 'claims_supp
orted': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsofton
line.com/<-- TENANT ID HIDDEN -->/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: f70e7660-8323-4761-95a5-8ab4b65eb25c
DEBUG: cli.azure.cli.command_modules.acr._docker_utils: 2025-07-28 07:36:22.520018 Sending a HTTP Post request to https://<-- ACR HIDDEN -->.azurecr.io/oauth2/exchange
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): <-- ACR HIDDEN -->.azurecr.io:443
DEBUG: urllib3.connectionpool: https://<-- ACR HIDDEN -->.azurecr.io:443 "POST /oauth2/exchange HTTP/1.1" 200 None
DEBUG: cli.azure.cli.command_modules.acr._docker_utils: 2025-07-28 07:36:23.437877 Sending a HTTP Post request to https://<-- ACR HIDDEN -->.azurecr.io/oauth2/token
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): <-- ACR HIDDEN -->.azurecr.io:443
DEBUG: urllib3.connectionpool: https://<-- ACR HIDDEN -->.azurecr.io:443 "POST /oauth2/token HTTP/1.1" 200 None
DEBUG: cli.azure.cli.command_modules.acr._docker_utils: 2025-07-28 07:36:24.346661 Sending a HTTP patch request to https://<-- ACR HIDDEN -->.azurecr.io/acr/v1/<-- REPO HIDDEN -->
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): <-- ACR HIDDEN -->.azurecr.io:443
DEBUG: urllib3.connectionpool: https://<-- ACR HIDDEN -->.azurecr.io:443 "PATCH /acr/v1/<-- REPO HIDDEN --> HTTP/1.1" 200 312
DEBUG: msrest.http_logger: Request URL: 'https://<-- ACR HIDDEN -->.azurecr.io/acr/v1/<-- REPO HIDDEN -->'
DEBUG: msrest.http_logger: Request method: 'PATCH'
DEBUG: msrest.http_logger: Request headers:
DEBUG: msrest.http_logger: 'User-Agent': 'python-requests/2.32.3'
DEBUG: msrest.http_logger: 'Accept-Encoding': 'gzip, deflate'
DEBUG: msrest.http_logger: 'Accept': '/'
DEBUG: msrest.http_logger: 'Connection': 'keep-alive'
DEBUG: msrest.http_logger: 'Authorization': ''
DEBUG: msrest.http_logger: 'Content-Length': '23'
DEBUG: msrest.http_logger: 'Content-Type': 'application/json'
DEBUG: msrest.http_logger: Request body:
DEBUG: msrest.http_logger: b'{"writeEnabled": false}'
DEBUG: msrest.http_logger: Response status: 200
DEBUG: msrest.http_logger: Response headers:
DEBUG: msrest.http_logger: 'Server': 'AzureContainerRegistry'
DEBUG: msrest.http_logger: 'Date': 'Mon, 28 Jul 2025 07:36:26 GMT'
DEBUG: msrest.http_logger: 'Content-Type': 'application/json; charset=utf-8'
DEBUG: msrest.http_logger: 'Content-Length': '312'
DEBUG: msrest.http_logger: 'Connection': 'keep-alive'
DEBUG: msrest.http_logger: 'Access-Control-Expose-Headers': 'Docker-Content-Digest, WWW-Authenticate, Link, X-Ms-Correlation-Request-Id'
DEBUG: msrest.http_logger: 'Docker-Distribution-Api-Version': 'registry/2.0'
DEBUG: msrest.http_logger: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains'
DEBUG: msrest.http_logger: 'X-Content-Type-Options': 'nosniff'
DEBUG: msrest.http_logger: 'X-Ms-Correlation-Request-Id': '41ebf57d-7825-42c6-834a-3b743c934de2'
DEBUG: msrest.http_logger: Response content:
DEBUG: msrest.http_logger: {"registry":"<-- ACR HIDDEN -->.azurecr.io","imageName":"<-- REPO HIDDEN -->","createdTime":"2024-05-22T07:05:00.8016988Z","lastUpdateTime":"2025-07-28T07:03:39.3585304Z","manifestCount":197,"tagCount":196,"changeableAttributes":{"deleteEnabled":true,"writeEna
bled":false,"readEnabled":true,"listEnabled":true}}
DEBUG: cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x034EED48>, <function x509_from_base64_to_hex_transform at 0x034EED98>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnFilterResult []
DEBUG: cli.knack.cli: Event: Cli.SuccessfulExecute []
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x034B9618>]
INFO: az_command_data_logger: exit code: 0
INFO: cli.main: Command ran in 11.800 seconds (init: 0.521, invoke: 11.279)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3747 in cache file under C:\Users\Administrator.azure\telemetry\20250728153626662
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\Administrator.azure C:\Users\Administrator.azure\telemetry\202507
28153626662"
INFO: telemetry.process: Return from creating process 27324
INFO: telemetry.main: Finish creating telemetry upload process.
{
"changeableAttributes": {
"deleteEnabled": true,
"listEnabled": true,
"readEnabled": true,
"writeEnabled": false
},
"createdTime": "2024-05-22T07:05:00.8016988Z",
"imageName": "<-- REPO HIDDEN -->",
"lastUpdateTime": "2025-07-28T07:03:39.3585304Z",
"manifestCount": 197,
"registry": "<-- ACR HIDDEN -->.azurecr.io",
"tagCount": 196
}

Expected behavior

az acr repository update --name <acrName> --image "<repoName>:" --write-enable false when image tag is invalid, we need to throw errors instead of translating to repo level setting.

Environment Summary

azure-cli 2.69.0 *

core 2.69.0 *
telemetry 1.1.0

Extensions:
azure-devops 1.0.1
bastion 0.2.4
connectedk8s 1.10.6
customlocation 0.1.3
k8s-extension 1.6.1

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1

Additional context

No response

Metadata

Metadata

Assignees

Labels

AADAuto-AssignAuto assign by botAuto-ResolveAuto resolve by botContainer Registryaz acrService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions