Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Safely setting ACR container registry credentials for webApp

See original GitHub issue

I have the following configuration for a webApp:

let deployment =
    let plan = servicePlan {
        name "buildAgents"
        sku WebApp.Sku.S3
    }

    let webApps : IBuilder list = [
        for i in 1 .. agentCount do
            webApp {
                name ("xx-yy-buildAgent-" + string i)
                link_to_service_plan plan
                app_insights_off
                docker_image $"buildagent:{buildAgentImageTag}" "start.sh"
                docker_use_azure_registry "someacr"
            }
    ]
    
    let deployment = arm {
        location Location.WestEurope
        add_resources webApps
    }
    
    deployment

An attempt to deploy this leads to the following error:

The following parameters are missing: docker-password-for-someacr. Please add them

Looking at our terraform-generated webapps, I see that we set a setting called DOCKER_REGISTRY_SERVER_PASSWORD with a secret from a keyVault.

I understand I can add a setting with setting "DOCKER_REGISTRY_SERVER_PASSWORD" "x", but I don’t understand how I can safely use the secret from the keyvault to set this setting.

I did not manage to find a solution searching the documentation for “secret” and looking at the existing examples.

Issue Analytics

State:
Created 3 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

Szercommented, Dec 16, 2020

@l3m just yesterday did the same and I had to do 2 separate deployments. First - ACR deployment with creds as output Second - WebApp deployment with creds as input

https://github.com/Szer/grinder/blob/01f262150ee0917c088ed0180855f5dac7b3fe20/src/Grinder.Farmer/Program.fs#L148-L166

I couldn’t make it work inside one deployment even with depends_on and ARM expressions

1reaction

isaacabrahamcommented, Dec 16, 2020

@l3m the password to access “someacr” is expected to be provided as a parameter to the ARM template to provision it. My understanding for using docker with app service is that this is required so when you do the deploy you need to provide it e.g.

deployment
|> Deploy.execute "my-resource-group" [ "docker-password-for-someacr", "<password>" ]

Of course, `“<password>” is a string that can be retrieved and supplied to the template in any way that you like.

(I’m not aware of any implicit support because docker on app service and key vault.)

@dburriss do you have any thoughts on this one? I seem to recall you worked on this. @forki I think you’re using this as well - are you using it with key vault or some other way?