Azure-docs: Missing: How to use User assigned managed identity to pull images from Azure Container Registry
This page talks about how System assigned Managed identity can be used to fetch from container registry. However, it does not mention what happens with VM scale sets which have a User assigned system identity.
Do we support using User assigned managed identities? If yes, how to specify clientId of the identity in case multiple User assigned managed identities are associated with the VM Scale set?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 8bce949c-a48a-9d33-5627-795a41cb0864
- Version Independent ID: 0d51b682-6893-8640-3f5f-ae1b65378d81
- Content: Azure Service Fabric - Configure container repository credentials - Azure Service Fabric
- Content Source: articles/service-fabric/configure-container-repository-credentials.md
- Service: service-fabric
- GitHub Login: @erikadoyle
- Microsoft Alias: edoyle
GiriB
All 4 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
Karishma-Tiwari-MSFT
on 1 Oct 2020
I am reaching out to the internal team to get the confirmation on this.
Karishma-Tiwari-MSFT
on 6 Oct 2020
Please refer to this document for details on how to pull images from ACR using user assigned identity: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-authentication-managed-identity
@erikadoyle Can you please help confirm the following? Thanks :)
Do we support using User assigned managed identities? If yes, how to specify clientId of the identity in case multiple User assigned managed identities are associated with the VM Scale set?
Karishma-Tiwari-MSFT
on 9 Oct 2020
@GiriB I checked with the SF team, and you can use the same steps documented here for user-assigned managed identities, provided the vmss has only a single identity. (I've updated the doc with a note.)
Assigning multiple identities to a vmss isn't a security best practice, but let me know if this is the case for you and you're blocked.
erikadoyle
on 12 Oct 2020
Related issues
monteledwards
·
3Comments
jebeld17
·
3Comments
AronT-TLV
·
3Comments
bityob
·
3Comments
Favna
·
3Comments
Most helpful comment
@GiriB I checked with the SF team, and you can use the same steps documented here for user-assigned managed identities, provided the vmss has only a single identity. (I've updated the doc with a note.)
Assigning multiple identities to a vmss isn't a security best practice, but let me know if this is the case for you and you're blocked.