How to authenticate with Azure ACR from Azure container app service

Question

I'm trying to set up my App Container Service so that it can pull docker images from our ACR using Managed Identity, rather than storing the username and password in the app settings (apart from anything else we want to script these deployments and if the username and password are needed by the app service then we'd have to store them in source control).

Unbelievably, I cannot find any docs on this scenario. The closest I've found is using Managed Identity to pull an ACR image from a VM [https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity] , which I can't use as a guide as the final step (the only bit I'm missing) is to SSH into the VM and run az acr login --name myContainerRegistry at the command line.

Where I've got to:

• I've created the ACR and the Container App Service
• I've granted the role ACR Pull and Reader to the system-assigned Identity of the app service
• The app service is getting access denied when trying to pull the container image

I don't know what to do next; like I said, I can't find any guides on this scenario.

Answer 1

To configure the App Service to pull from ACR, you can use the service principal approach and setup the access level as you already done.

https://github.com/Azure/app-service-linux-docs/blob/master/service_principal_auth_acr.md

as far as App Service with terraform goes, you could inject the settings for the ServicePrincipal credentials secret in Azure Key Vault using

https://www.terraform.io/docs/providers/azurerm/r/app_service.html#app_settings

Answer 2

This is now possible by setting the acrUseManagedIdentityCreds property

Here is a tutorial with the steps: https://learn.microsoft.com/en-us/azure/app-service/tutorial-custom-container?pivots=container-linux#configure-app-service-to-deploy-the-image-from-the-registry

Here are the specific commands

1. Grant the managed identity permission to access the container registry:

az role assignment create --assignee <principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/<registry-name> --role "AcrPull"

2. Configure your app to use the managed identity to pull from Azure Container Registry

az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.acrUseManagedIdentityCreds=True

Answer 3

There is a mistake that you understand the Managed Identity of the Web App. The Managed Identity of the Web App is used to access other resources inside the web app container. It means the web app container is already running. But when you pull the image, the container does not run well. So it's impossible to use the Managed Identity to pull the images from ACR. You only can use the username and password to pull the images from ACR as it does.