Docker on Windows build directory permissions

Summary

I am trying to setup a GitLab runner on Azure which will use dockere to run our Windows CI/CD Jobs. I have currently run into permission issues where it seems the user that's run within the container does not have enough permissions to access the build directory of the git repository once it has been cloned. I have been able to see this further by running [System.Security.Principal.WindowsIdentity]::GetCurrent().Name in a fresh interactive container and in the Job's Script, for testing I set the USER to ContainerAdministrator, the fresh interactive container showed it's current user as ContainerAdministrator but the job showed itself as ContainerUser.

Steps to reproduce

.gitlab-ci.yml

variables:
    DOCKER_TLS_CERTDIR: ""

cache:
    key: ${CI_COMMIT_REF_SLUG}
    untracked: true

stages:
    - build
    - test
    - pack
    - deploy

build_wpf:
    image: <omitted>/build/windows-dotnet
    stage: build
    tags:
        - windows
    script:
        - "[System.Security.Principal.WindowsIdentity]::GetCurrent().Name"
        - pwd
        - dir
        - dotnet build
    interruptible: true

Actual behavior

[System.Security.Principal.WindowsIdentity]::GetCurrent().Name returns ContainerUser and build fails due to invalid permissions to read from directory

Expected behavior

[System.Security.Principal.WindowsIdentity]::GetCurrent().Name return ContainerAdministrator and build is able to read in from disk

Relevant logs and/or screenshots

job log

Getting source from Git repository 00:10
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in C:/builds/digital-operations/projects/telco/.git/
Checking out 35c56af8 as feature/20-cicd...
git-lfs/2.11.0 (GitHub; windows amd64; go 1.14.2; git 48b28d97)
Skipping Git submodules setup
Restoring cache 00:06
Version:      13.11.0
Git revision: 7f7a4bb0
Git branch:   13-11-stable
GO version:   go1.13.8
Built:        2021-04-20T17:02:24+0000
OS/Arch:      windows/amd64
Checking cache for feature-20-cicd...
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted. 
Successfully extracted cache
Executing "step_script" stage of the job script 00:06
Using docker image sha256:8fb066da5ad40207b0ef8e2d7b353a72430a1619db02728bcb485f27df19862d for <omitted>/build/windows-dotnet with digest <omitted>/build/windows-dotnet@sha256:46c2cda27dbd9f9dd3ef97cb5ca15d0f3a71bfafc3c9db2661b7be721a100c8a ...
ParentContainsErrorRecordException: Exception calling "WriteAllText" with "2" argument(s): "Access to the path 'c:\builds\digital-operations\projects\telco.tmp\CI_SERVER_TLS_CA_FILE' is denied."
$ [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
User Manager\ContainerUser
$ pwd
Path
----
C:\builds\digital-operations\projects\telco
$ dir
Get-ChildItem: Access to the path 'C:\builds\digital-operations\projects\telco' is denied.
Cleaning up file based variables 00:05
ERROR: Job failed: exit code 1

Environment description

docker info

Client:
 Debug Mode: false
 Plugins:
  cluster: Manage Mirantis Container Cloud clusters (Mirantis Inc., v1.9.0)

Server:
 Containers: 26
  Running: 1
  Paused: 0
  Stopped: 25
 Images: 36
 Server Version: 19.03.14
 Storage Driver: windowsfilter
  Windows:
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: inactive
 Default Isolation: process
 Kernel Version: 10.0 19041 (19041.1.amd64fre.vb_release.191206-1406)
 Operating System: Windows Server Datacenter Version 2004 (OS Build 19041.985)
 OSType: windows
 Architecture: x86_64
 CPUs: 2
 Total Memory: 4GiB
 Name: vm-d-int-code-w
 ID: LEHO:RRP6:DXUX:W5LW:YA25:UQXO:IFJ4:M7BV:QJLM:CSAT:IG2Q:SQ7O
 Docker Root Dir: C:\ProgramData\docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

config.toml contents

concurrent = 3
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "azure-shared-windows-docker"
  url = ""
  token = ""
  executor = "docker-windows"
  shell = "pwsh"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    tls_verify = false
    image = "<omitted>/build/windows-dotnet"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["c:\\cache"]
    shm_size = 0

Used GitLab Runner version

Version:      13.11.0
Git revision: 7f7a4bb0
Git branch:   13-11-stable
GO version:   go1.13.8
Built:        2021-04-20T17:02:32+0000
OS/Arch:      windows/amd64