Azure-docs: This tutorial should use Managed Identities to Access ACR

Hi @berndverst, thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review.

@msangapu can you please look into this? Thanks

How do you configure the app service to pull the image from ACR?

@juchom should be just like this -- no need to specify username and password if you use the managed identity and gave that identity ACRPull rights from the ACR instance

az webapp config container set --name <app-name> --resource-group myResourceGroup --docker-custom-image-name <azure-container-registry-name>.azurecr.io/mydockerimage:v1.0.0 --docker-registry-server-url https://<azure-container-registry-name>.azurecr.io

Hi @berndverst,

This command gives me this error:

No credential was provided to access Azure Container Registry. Trying to look up...
Retrieving credentials failed with an exception:'Failed to retrieve container registry credentials. Please either provide the credentials or run 'az acr update -n myacr --admin-enabled true' to enable admin first.'

@juchom

The error you are getting makes sense. Looks like the CLI is hardcoded to expect admin enabled on ACR (not a good idea) or a username and password to be manually provided.

https://github.com/Azure/azure-cli/blob/abeb2dd611114ca4bb5c4c40996a36f3fc48a05e/src/azure-cli/azure/cli/command_modules/appservice/custom.py#L1120

Let's assume we are talking about

• A webapp with name $NAME and in resource group $GROUP
• A registry $REGISTRYNAME in resource group $REGISTRYGROUP

One good option that should certainly work

You could always do is to create a Service Principal for this particular situation that can only read from ACR.
Caveat: Credential expires in 1 year

az ad sp create-for-rbac --name AppServiceReadFromParticularACR
#Above returns a client ID and secret
az role assignment create --assignee $CLIENT_ID --scope /subscriptions/$YOURAZURESUBSCRIPTIONID/resourceGroups/$REGISTRYGROUP/providers/Microsoft.ContainerRegistry/registries/$REGISTRYNAME --role "AcrPull"

and then using the Service Principal client ID and client secret as username and password.

az webapp config container set --name $NAME --resource-group $GROUP --docker-custom-image-name $REGISTRYNAME.azurecr.io/$IMAGENAME:$IMAGETAG --docker-registry-server-url https://$REGISTRYNAME.azurecr.io --docker-registry-server-user $CLIENT_ID --docker-registry-server-password $CLIENT_SECRET

Of course using managed identities is better

It seems the CLI doesn't quite support this yet, but you could help me test this by doing the following.

# Create and assign a managed Service Principal to a Web App
az webapp identity assign --resource-group $GROUP --name $NAME

# This returns a Service Principal ID... $WEBAPPID

# Give webapp identity access to pull from ACR
az role assignment create --assignee $WEBAPPID --scope /subscriptions/$YOURAZURESUBSCRIPTIONID/resourceGroups/$REGISTRYGROUP/providers/Microsoft.ContainerRegistry/registries/$REGISTRYNAME --role "AcrPull"

# Now try using a bogus username and password
az webapp config container set --name $NAME --resource-group $GROUP --docker-custom-image-name $REGISTRYNAME.azurecr.io/$IMAGENAME:$IMAGETAG --docker-registry-server-url https://$REGISTRYNAME.azurecr.io --docker-registry-server-user $CLIENT_ID --docker-registry-server-password $CLIENT_SECRET

# Restart and try to see if this works?
az webapp restart -g $GROUP -n $NAME

# If it doesn't work, let's also delete the App Settings on the server corresponding to the username and password
az webapp config appsettings delete -g $GROUP -n $NAME --settings "DOCKER_REGISTRY_SERVER_PASSWORD" "DOCKER_REGISTRY_SERVER_USERNAME"
az webapp restart -g $GROUP -n $NAME

So after doing this command:

# Now try using a bogus username and password
az webapp config container set --name $NAME --resource-group $GROUP --docker-custom-image-name $REGISTRYNAME.azurecr.io/$IMAGENAME:$IMAGETAG --docker-registry-server-url https://$REGISTRYNAME.azurecr.io --docker-registry-server-user $CLIENT_ID --docker-registry-server-password $CLIENT_SECRET

I have this error

2020-04-08 07:42:30.233 INFO  - Pulling image from Docker hub: myacr.azurecr.io/myapp:584
2020-04-08 07:42:30.544 ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://myacr.azurecr.io/v2/myapp/manifests/584: unauthorized: authentication required"}

And after removing the username and password from app settings it doesn't work with same error.

Thanks for trying @juchom. One last thing to try -- also deleting the app setting for the login server. I really appreciate you being willing to verify this.

If this still doesn't work it seems we have a little bit of engineering work left to tie some of the pieces together. You are trying some cutting edge stuff here :) Hopefully the other approach I provided is still a good option for you as well.

# If it doesn't work, let's also delete the App Settings on the server corresponding to the username, 
 password and login server
az webapp config appsettings delete -g $GROUP -n $NAME --settings "DOCKER_REGISTRY_SERVER_PASSWORD" "DOCKER_REGISTRY_SERVER_USERNAME" "DOCKER_REGISTRY_SERVER_URL"
az webapp restart -g $GROUP -n $NAME

This doesn't work either:

2020-04-08 17:14:01.287 INFO  - Pulling image from Docker hub: myacr.azurecr.io/showcase:584
2020-04-08 17:14:01.506 ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://myacr.azurecr.io/v2/myapp/manifests/584: unauthorized: authentication required"}

2020-04-08 17:14:01.515 ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2020-04-08 17:14:02.448 INFO  - Stoping site pulumitest-dev-web because it failed during startup.

In the mean time I also found this on uservoice: https://feedback.azure.com/forums/169385-web-apps/suggestions/36145444-web-app-for-containers-acr-access-requires-admin#{toggle_previous_statuses}

@juchom Thanks for trying. Please note... this bug here is the official request to update the documentation for this feature. It should work now but apparently does not. I'll take it up with the product team internally and then we will get this updated once this has been implemented / fixed.