Azure-docs: Referencing a custom docker image in an ARM template
I have a Web App for Linux in an ARM template and trying to deploy a custom docker image from Azure Container Registry. I've been unsuccessful using the following and have not found any documentation as to how to reference the image in ACR.
"linuxFxVersion": "DOCKER|myregistry.azurecr.io/myrepo:latest"
Some posts I've seen suggest that the format may be "DOCKER|https://my registry.azurecr.io/myrepo:latest". That didn't work either. Any guidance would be greatly appreciated.
The Web App is also using a service principal which has been assigned the AcrPull role. I've seen other posts which use variables for the acr admin credentials, but I can't use that approach.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: a492006d-2a5d-5cd5-bc30-e3bf5296b8fb
- Version Independent ID: 1e5e9499-c3b8-3421-16a7-3c8ec5410a1d
- Content: About repositories and images in Azure Container Registry
- Content Source: articles/container-registry/container-registry-concepts.md
- Service: container-registry
- GitHub Login: @dlepow
- Microsoft Alias: danlep
wendellh3
All 27 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
mimckitt
on 5 Aug 2019
@wendellh3 I believe we cover this scenario in the following documentation:
https://docs.microsoft.com/en-us/azure/app-service/containers/tutorial-custom-docker-image
Have you taken a look at that page?
mimckitt
on 5 Aug 2019
Thanks for your response. The documentation covers using the Azure CLI, not ARM templates.
In the configure registry credentials section, clearly uses the admin user and password which is not permissible in my environment. I need to use a service principal.
The Note about using a registry other than Docker Hub is somewhat vague. This is what I've been experimenting with for some time. Here are the variations that I've tried and their results:
ORIGINAL WORDPRESS
"linuxFxVersion": "DOCKER|appsvcorg/wordpress-alpine-php:0.72",
FAILED
"linuxFxVersion": "DOCKER|myregistry.azurecr.io/myrepo:latest",
2019-08-05 16:58:33.748 ERROR - DockerApiException: ... unauthorized: authentication required"}
FAILED
"linuxFxVersion": "DOCKER|https://myregistry.azurecr.io/myrepo:latest",
2019-08-05 17:20:18.290 ERROR - DockerApiException: Docker API responded with status code=BadRequest, response={"message":"invalid reference format"}
FAILED
"linuxFxVersion": "https://myregistry.azurecr.io/myrepo:latest",
2019-08-05 17:35:41.478 ERROR - DockerApiException: Docker API responded with status code=BadRequest, response={"message":"invalid reference format"}
INPROGRESS
"linuxFxVersion": "https://myregistry.azurecr.io|myregistry.azurecr.io/myrepo:latest",
Did not error, nor display Container Settings in the portal.
Here is the role assignment for the Web App Service Principal from the cli:
{
"canDelegate": null,
"id": "/subscriptions/.../resourcegroups/rg-myrepo-cus-dev/providers/Microsoft.ContainerRegistry/registries/myregistry/providers/Microsoft.Authorization/roleAssignments/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"name": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"principalId": "-my-web-app-managed-identity-guid",
"principalName": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"principalType": "ServicePrincipal",
"resourceGroup": "rg-myrepo-cus-dev",
"roleDefinitionId": "/subscriptions/.../providers/Microsoft.Authorization/roleDefinitions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"roleDefinitionName": "AcrPull",
"scope": "/subscriptions/.../resourcegroups/rg-myrepo-cus-dev/providers/Microsoft.ContainerRegistry/registries/myregistry",
"type": "Microsoft.Authorization/roleAssignments"
},
wendellh3
on 5 Aug 2019
When I use the Web App config "linuxFxVersion": "DOCKER|acrtriagewpgbl.azurecr.io/triagewp:latest" and view the Web App's Container Settings in the portal, the Image Source is indicated as Docker Hub, not Azure Container Registry. I can stop the Web App, and reconfigure the Container Settings manually to point to my ACR and image. Then the image is pulled and extracted without errors. When I use the Export template blade in the portal, is shows this configuration, which I believe is from the template deployment and not the current configuration I did manually:
"linuxFxVersion": "DOCKER|acrtriagewpgbl.azurecr.io/triagewp:latest",
wendellh3
on 5 Aug 2019
@wendellh3 can you share your ARM template with me? I can try it out as well and see if I can find a work around.
mimckitt
on 5 Aug 2019
I think I have figured it out after re-reading other documentation. My new hypothesis is that ACR does not support Managed Identity, which is what is being created with the Web App for Containers. Therefore, I need to create a separate service principal with the AcrPull role and incorporate those credentials into my ARM template. Does that sound plausible? Unfortunately, I don't have access to create a service principal, so I will work through that first.
wendellh3
on 5 Aug 2019
I do see we support Managed Identities
I don't generally work with Web Apps very often so not sure if there is some limiting items on that end. Regardless, I am happy to help resolve the issue any way I can :)
mimckitt
on 5 Aug 2019
I tried using a new service principal (not a managed identity), and created appSettings for DOCKER_REGISTRY_SERVER_USERNAME, and DOCKER_REGISTRY_SERVER_PASSWORD. The result in the portal was an Azure Container Registry in the Web App, but still ran into an authentication required error. I reviewed the Managed Identities docs you referenced. It describes what I was trying previously with a managed identity for the Web App. So I'm perplexed now as how to make this work. Any suggestions? Do you know if there is any documentation related to the appSettings mentioned above? I found them on stack overflow from various sources, but nothing official.
Thanks, I do appreciate your help!
wendellh3
on 6 Aug 2019
@BryanTrach-MSFT @Grace-MacJones-MSFT @mike-urnun-msft have any of you had experience doing this? It is a bit outside of my wheelhouse. If not, I can get @wendellh3 in touch with support to help configure this further :)
mimckitt
on 6 Aug 2019
I was able to successfully deploy the custom image to the Web App for Containers instance using the service principal, with the appSettings mentioned in the above comment. However, my preference would be to use the web app's managed identity if someone is able to help me configure it. Thanks again!
wendellh3
on 6 Aug 2019
@wendellh3 I had an offline sync with @BryanTrach-MSFT and we think it would be best to get you in touch with technical support to get this sorted out further.
If you don't have the ability to open a technical support ticket, you can email me at [email protected] and provide me with your SubscriptionID and link to this issue. I can then enable your subscription for a free support request.
I will close this issue and be on the lookout for that email if needed :)
mimckitt
on 6 Aug 2019
@MicahMcKittrick-MSFT , I sent an email to the address above.
wendellh3
on 6 Aug 2019
We're struggling with the same issue, is there a resolution?
In short, we are trying to deploy a web app container with an image from our ACR
reallydontask
on 20 Nov 2019
I am having the same issue. Is there any guidance on how to set up the credentials for ACR via ARM?
nastassiar
on 31 Jan 2020
This is what we ended up using on our arm template
"appSettings": {
"DOCKER_REGISTRY_SERVER_USERNAME": "[parameters('acrName')]",
"DOCKER_REGISTRY_SERVER_URL": "[concat('https://',parameters('acrName'),'.azurecr.io')]",
"DOCKER_REGISTRY_SERVER_PASSWORD": "[parameters('acrPassword')]"
}
where acrName is the name of the Azure Container Registry
reallydontask
on 31 Jan 2020
@reallydontask So I assume Managed Identity didn't work. What did you specify in the linuxFxVersion parameter?
krottiers
on 5 Feb 2020
Basically this:
"linuxFxVersion": "DOCKER|<myregistry>.azurecr.io/<myrepo>:<mytag>"
reallydontask
on 6 Feb 2020
Same issue. Subscribing.
johnkors
on 11 Feb 2020
Same issue here. I don't understand why this ticket is closed @mimckitt
If it was solved with the technical support ticket, it would be nice to post the solution here as well.
Note sure if it is related, but it can't harm I guess: It is also not possible to use the managed identity of an ACI to access ACR.
antoncyrol
on 14 Feb 2020
I got my setup working, but I had to recreate everything I had within the resource group. Plans, storage, web apps, key vaults. Changing an existing resource groups and plans just gave misleading errors that led me astray for hours. No chance to get it working without recreating all from scratch.
johnkors
on 14 Feb 2020
@johnkors Thanks!
Deleting and recreating the web app with the final app settings already in place at the first deployment helped!
antoncyrol
on 17 Feb 2020
Hi, I'm having the same issue.
Have tried all the above suggestions and when I check container settings, it defaults to Docker Hub after every release I make from my pipeline.
Would appreciate if someone can guide me on this
jodus-max
on 11 May 2020
For anyone still struggling with this issue, the following worked for me, place the following in the properties section of the Microsoft.Web/sites/config resource:
"linuxFxVersion": "DOCKER|<myRegistry>.azurecr.io/<myTag>",
Then place the following in the Microsoft.Web/sites resource:
"resources": [
{
"name": "appsettings",
"type": "config",
"apiVersion": "2018-11-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('webApplicationName'))]"
],
"tags": {
"displayName": "appsettings"
},
"properties": {
"DOCKER_REGISTRY_SERVER_USERNAME": "[listCredentials(resourceId(parameters('registryResourceGroupName'),'Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-05-01').username]",
"DOCKER_REGISTRY_SERVER_URL": "[concat('https://', variables('acrFullUrl'))]",
"DOCKER_REGISTRY_SERVER_PASSWORD": "[listCredentials(resourceId(parameters('registryResourceGroupName'),'Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-05-01').passwords[0].value]"
}
}
]
Where acrFullUrl is the URL to the container without the https://, and webApplicationName is the name of your web application.
SiobhanBaynes
on 13 May 2020
Yeah @SiobhanBaynes . I defaulted tried that out in one of my deployment and it worked.
Thanks for pointing that.
jodus-max
on 14 May 2020
@SiobhanBaynes does that work in an ARM template which also sets up the ACR in the same template? I am trying that, and I get validation error stating that the ACR does not exist.
:[{"code":"UnexpectedContainerRegistryError","message":"ContainerRegistryBaseUrl is invalid. Unexpected error when connecting to the registry. Cannot find available registry. https://jazdamlcr.azurecr.io"}
I have
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"[resourceId('Microsoft.ContainerRegistry/registries', variables('containerRegistryName'))]"
],
For anyone interested, here is my feeble, non-functioning attempt so far. Its based on MLOpsPython
epa095
on 27 May 2020
@epa095 You seem to be missing the name of the repository in your DOCKER_REGISTRY_SERVER_URL.
Compare this:
{
"name": "DOCKER_REGISTRY_SERVER_URL",
"value": "[concat('https://', variables('containerRegistryName'), '.azurecr.io')]"
}
...to this:
{
"name": "DOCKER_REGISTRY_SERVER_URL",
"value": "[concat('https://', variables('containerRegistryName'), '.azurecr.io/', parameters('dockerImageName'))]"
}
Same thing for the linuxFxVersion setting.
mgnsm
on 9 Jun 2020
So it doesn't work with managed identity? Does anyone have example of ARM template where it works without DOCKER_REGISTRY_SERVER_USERNAME and DOCKER_REGISTRY_SERVER_PASSWORD settings?
older
on 7 Dec 2020
Related issues
ianpowell2017
·
3Comments
spottedmahn
·
3Comments
JamesDLD
·
3Comments
spottedmahn
·
3Comments
jamesgallagher-ie
·
3Comments
Most helpful comment
For anyone still struggling with this issue, the following worked for me, place the following in the properties section of the Microsoft.Web/sites/config resource:
Then place the following in the Microsoft.Web/sites resource:
Where acrFullUrl is the URL to the container without the https://, and webApplicationName is the name of your web application.