-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This tutorial should use Managed Identities to Access ACR #49186
Comments
Hi @berndverst, thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review. @msangapu can you please look into this? Thanks |
How do you configure the app service to pull the image from ACR? |
@juchom should be just like this -- no need to specify username and password if you use the managed identity and gave that identity ACRPull rights from the ACR instance az webapp config container set --name <app-name> --resource-group myResourceGroup --docker-custom-image-name <azure-container-registry-name>.azurecr.io/mydockerimage:v1.0.0 --docker-registry-server-url https://<azure-container-registry-name>.azurecr.io |
Hi @berndverst, This command gives me this error:
|
The error you are getting makes sense. Looks like the CLI is hardcoded to expect admin enabled on ACR (not a good idea) or a username and password to be manually provided. Let's assume we are talking about
One good option that should certainly workYou could always do is to create a Service Principal for this particular situation that can only read from ACR.
and then using the Service Principal client ID and client secret as username and password.
Of course using managed identities is betterIt seems the CLI doesn't quite support this yet, but you could help me test this by doing the following.
|
So after doing this command:
I have this error
And after removing the username and password from app settings it doesn't work with same error. |
Thanks for trying @juchom. One last thing to try -- also deleting the app setting for the login server. I really appreciate you being willing to verify this. If this still doesn't work it seems we have a little bit of engineering work left to tie some of the pieces together. You are trying some cutting edge stuff here :) Hopefully the other approach I provided is still a good option for you as well.
|
This doesn't work either:
In the mean time I also found this on uservoice: https://feedback.azure.com/forums/169385-web-apps/suggestions/36145444-web-app-for-containers-acr-access-requires-admin#{toggle_previous_statuses} |
@juchom Thanks for trying. Please note... this bug here is the official request to update the documentation for this feature. It should work now but apparently does not. I'll take it up with the product team internally and then we will get this updated once this has been implemented / fixed. |
@berndverst Any update on this? It would be a great feature to not have to use an insecure method for app service to talk to ACR. |
I'd like to clarify to anyone who's implementing the above solution that the 1 year expiration for an Azure AD service principal is in fact just a default value, meaning it can easily be overridden during creation, should you feel the need to. Simply append "--years " to the "az ad sp create-for-rbac" command. I guess from a security standpoint, you might actually be better off just keeping the default value, but that's a totally different story! 👍 |
This is what entually worked for me: az webapp config set -g some-rg -n some-app-name --generic-configurations "{""acrUseManagedIdentityCreds"": true, ""acrUserManagedIdentityId"": ""your-object-Id-here"", ""linuxFxVersion"": ""DOCKER|someacr.azurecr.io/some-image:latest""}" hope this helps somebody! |
This tutorial no longer recommends the best practice for authenticating App Service with ACR. It is a bad practice to enable the ACR admin mode to get the necessary credentials. Instead a managed identity should be used.
https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#using-the-azure-cli
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity#example-2-access-with-a-system-assigned-identity
Example:
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: