Azure App Service Error while pulling image from ACR using KeyVault (Terraform)

0
votes

I'm trying to pull an image from ACR to Azure App Service. I've stored the credentials of ACR on Key Vault. I'm using the endpoint generated by Key Vault in my App Service Terraform Configuration. My TF script looks like this 

  module "my-ui-service-temp" {
  source                   = "app-service-noconn"
  location                 = "${local.location}"
  name                     = "webapp-temp"
  resource_group_name      = "${module.create-resource-group.name}"
  app_service_plan_id      = "${module.create-app-service-plan.id}"
  app_service_plan_name    = "${module.create-app-service-plan.name}"
  namespace                = "${local.namespace}-temp"
  dotnetframework_version  = "v4.0"
  java_version = "1.8"
  process_32bitworker      = "true"
  websockets_enabled       = "true"
  remote_debugging_enabled = "true"
  local_mysql_enabled      = "true"
  php_version              = "5.5"
  remote_debugging_version = "VS2017"
  tls_version              = "1.2"
  linuxfx_version          = "DOCKER|myregistry.azurecr.io/my-webapp:latest"
  //cors_allowed_origins = "*"

  //ip_address_restriction = "10.198.54.79"

  #ip_address_restriction = "198.203.177.177"
  default_documents      = [ "Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]

  http2_enabled = "false"
  scm_type      = "none"
  subnet_mask   = "255.255.255.255"

  app_settings {
    "DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
    "DOCKER_REGISTRY_SERVER_USERNAME" = "https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted"
  }

}

This is the error I'm getting

2019-06-17 16:06:20.651 ERROR - Pulling docker image registry.azurecr.io/myApp-webapp:latest failed: 2019-06-17 16:06:20.651 INFO - Pulling image from Docker hub: registry.azurecr.io/myApp-webapp:latest 2019-06-17 16:06:20.676 ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://registry.azurecr.io/v2/myApp-webapp/manifests/latest: unauthorized: authentication required"}

2019-06-17 16:06:20.687 ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)

If, I'm passing my ACR Credentials directly without KeyVault, I'm able to pull the image and build it without any issues. I'm assuming its something to do with Key Vault Access policies.

But, the error message says - Docker API responded with status code=InternalServerError, response={"message":"Get https://registry.azurecr.io/v2/myApp-webapp/manifests/latest: unauthorized: authentication required"}, which is bothering me!

I'm passing the authentication details through keyvault, but App Service is not able to authenticate.

2
azureazure-web-app-serviceterraformazure-keyvault

2 Answers

1
votes

fixed it. Instead of passing @Microsoft.keyvault(SecretUri="").

I've used 

data "azurerm_key_vault_secret" "myacrServer" { 
name = "myApp-acr-server-az" 
vault_uri = "myApp-kv-az-acr.vault.azure.net" 
}

And then in the app_settings of web app service, I'm passing in that data secret value.

app_settings { 
"DOCKER_REGISTRY_SERVER_USERNAME" = "${data.azurerm_key_vault_secret.myacrusname.value}" 
}
0
votes

if you want to use reference to key vault you can use the official way of doing that. so it would look like this:

app_settings {
    "DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
    "DOCKER_REGISTRY_SERVER_USERNAME" = "@Microsoft.KeyVault(SecretUri="https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted)"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "@Microsoft.KeyVault(SecretUri=https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted)"
}