Azure Container Registry authorization for Azure Web App

0
votes

Is there a way to pull an image from an Azure Containter Registry without having to use the following app settings?

DOCKER_REGISTRY_SERVER_URL DOCKER_REGISTRY_SERVER_PASSWORD

I tried giving the appropriate RBAC to my App Service and use the Azure Web App on Container Deploy DevOps task, but this doesn't work.

Currently, I have it set up for CD by using the admin user/password, but that is not an option I would like to put to production.

The error message I get (when I do not set DOCKER_REGISTRY_SERVER_URL and DOCKER_REGISTRY_SERVER_PASSWORD):

2020-06-18T11:01:51.313Z INFO - Pulling image from Docker hub: xx.azurecr.io/xx:xx

2020-06-18T11:01:51.545Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://xx.azurecr.io/v2/xx/manifests/xx: unauthorized: authentication required"}

2020-06-18T11:01:51.553Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)

1
azureazure-container-registryazure-web-app-for-containers
No, you need to provide the web app with the credentials to be able to access the container registry. In production, you should use a service principal.mm8
Ah thanks for confirming Managed Identities are not an option, I'll do that then.reus83

1 Answers

1
votes

The environment variables in the app settings:

DOCKER_REGISTRY_SERVER_URL DOCKER_REGISTRY_SERVER_PASSWORD

are the necessary things when you need to pull the image from an Azure Container Registry. You need to know the right sequence between the credential of the ACR in the app settings and the Managed Identity of the Web App.

The Managed Identity of the Web App is used to access other resources inside the Web App when it is running. Watch out, the Web App is running. It means the image is already pulled from the ACR. So you see, the credential of the ACR will be used before the Managed Identity. If you do not set the credential, the image cannot be pulled so that the Web App won't run well. At this time, the Managed Identity does not make sense.