How to authenticate with Azure ACR from Azure container app service

4
votes

I'm trying to set up my App Container Service so that it can pull docker images from our ACR using Managed Identity, rather than storing the username and password in the app settings (apart from anything else we want to script these deployments and if the username and password are needed by the app service then we'd have to store them in source control).

Unbelievably, I cannot find any docs on this scenario. The closest I've found is using Managed Identity to pull an ACR image from a VM [https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity] , which I can't use as a guide as the final step (the only bit I'm missing) is to SSH into the VM and run az acr login --name myContainerRegistry at the command line.

Where I've got to:

  • I've created the ACR and the Container App Service
  • I've granted the role ACR Pull and Reader to the system-assigned Identity of the app service
  • The app service is getting access denied when trying to pull the container image

I don't know what to do next; like I said, I can't find any guides on this scenario.

2
azureazure-container-registryazure-managed-identity
I'm not sure if this is possible. But an alternative is to access the Azure Key Vault from your deployment pipeline to fetch the credentials and inject them into the az webapp config container set command. And note that that's only necessary when deploying a new environment, not for every code deployment. Deploying environments is infrastructure automation rather than CI/CD. docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/…David Browne - Microsoft
Thanks, although I'm not sure if that's going to work for us since we're using Terraform rather than ARM or the CLI directly.Richiban

2 Answers

3
votes

To configure the App Service to pull from ACR, you can use the service principal approach and setup the access level as you already done.

https://github.com/Azure/app-service-linux-docs/blob/master/service_principal_auth_acr.md

as far as App Service with terraform goes, you could inject the settings for the ServicePrincipal credentials secret in Azure Key Vault using

https://www.terraform.io/docs/providers/azurerm/r/app_service.html#app_settings

2
votes

There is a mistake that you understand the Managed Identity of the Web App. The Managed Identity of the Web App is used to access other resources inside the web app container. It means the web app container is already running. But when you pull the image, the container does not run well. So it's impossible to use the Managed Identity to pull the images from ACR. You only can use the username and password to pull the images from ACR as it does.