Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Webapp:az webapp create - doesn't support using managed identity creds for ACR pulls

See original GitHub issue

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

az webapp create doesn’t have arguments to support using managed identity creds for ACR pulls (linux)

To Reproduce

n/a: there are not options to specify a managed identity for acr pulls docs are here (they don’t work): https://docs.microsoft.com/en-us/azure/app-service/containers/tutorial-custom-docker-image#configure-app-service-to-deploy-the-image-from-the-registry

Expected behavior

az webapp create -UseMiCredsWithAcr [true/false] -UserMiCredsForAcr [user managed identity client id] (or something similar)

Environment summary

Additional context

3 situations: Not using Managed Identity Creds for ACR pulls, Using system MI creds for ACR pulls, Using user MI creds for ACR pulls

Not using Managed Identity Creds for ACR pulls) AcrUseManagedIdentityCreds:False; AcrUserManagedIdentityID:null

Using system MI creds for ACR pulls) AcrUseManagedIdentityCreds:True; AcrUserManagedIdentityID:null

Using user MI creds for ACR pulls) AcrUseManagedIdentityCreds:True; AcrUserManagedIdentityID:“{UserManagedIdentity.ClientId}” *the specific clientID of the Managed Identity the customer wished to be used

*In both cases (system or user MI), a customer use the Identity tab to add a Managed Identity for this to work *In both cases, a customer must grant this Identity ARCPull permissions to the Azure Container Repo

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:8 (4 by maintainers)

Top GitHub Comments

2reactions

btardifcommented, Nov 4, 2020

We don’t support setting this up through create, but this can be done after the resource already exists, here is documentation:

1reaction

jvanocommented, Oct 14, 2020

Please make sure you test against Windows Containers on App Service as the backend support for pulling with MSI is also ready

Top Results From Across the Web

How to authenticate with Azure ACR from Azure container app ...

Configure your app to use the managed identity to pull from Azure Container Registry ... It means the web app container is already...

Authenticate with managed identity - Azure Container Registry

This role provides pull permissions to the registry. To provide both pull and push permissions, assign the AcrPush role.

Deploying Linux custom container from private Azure ...

In this article, I will walk you through setting up a Linux web app with secure, network-isolated access to a container registry. The...

Managed Identities With Azure Container Apps - Thorsten Hans

Limitations as of April 2022 · Assigned managed identities can't be used to pull container images from Azure Container Registry (ACR) ...

system-assigned Managed ID (ACR)

Using managed identities is a best practice because they allow for ... Identity Credentials and do docker pull Webapp_Config=$(az webapp ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Webapp:az webapp create - doesn't support using managed identity creds for ACR pulls