How to authenticate with Azure ACR from Azure container app service

Question

I'm trying to set up my App Container Service so that it can pull docker images from our ACR using Managed Identity, rather than storing the username and password in the app settings (apart from anything else we want to script these deployments and if the username and password are needed by the app service then we'd have to store them in source control).

Unbelievably, I cannot find any docs on this scenario. The closest I've found is using Managed Identity to pull an ACR image from a VM [https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity] , which I can't use as a guide as the final step (the only bit I'm missing) is to SSH into the VM and run az acr login --name myContainerRegistry at the command line.

Where I've got to:

• I've created the ACR and the Container App Service
• I've granted the role ACR Pull and Reader to the system-assigned Identity of the app service
• The app service is getting access denied when trying to pull the container image

I don't know what to do next; like I said, I can't find any guides on this scenario.

Answer 1

Getting this to work is unbelivable hard, I spent days getting this to work and here is how I got it to work.

I first create an App Service using

$AppService = az webapp create `
    --name $AppServiceName_container_linux `
    --acr-use-identity `
    --plan $AppServicePlan_linux `
    --resource-group $rgname `
    --container-image-name $imagePath `
    --assign-identity $identityId `
    --output json | ConvertFrom-Json

However, there is a catch!

Yes, the hidden truth is that we have two different identities to deal with and we need to specify both identities to get this to work as the image below shows:

You can set this second identity using:

$property = "properties.siteConfig.AcrUserManagedIdentityID=${ClientID}"
$tmp = az resource update `
    --ids $appServiceID `
    --set $property `
    --output json | ConvertFrom-Json

or

$data="{\""acrUserManagedIdentityID\"": \""${clientId}\""}"
$tmp = az webapp config set `
    --resource-group $rgname `
    --name $AppServiceName_container_linux `
    --generic-configurations $data `
    --output json | ConvertFrom-Json

To ensure that it is set up correctly, we can query the App Service configuration using:

$settings = az webapp config show `
    --resource-group $rgname `
    --name $AppServiceName_container_linux `
    --output json | ConvertFrom-Json
Write-Host "`nThese two settings must be set for successful ACR pull:"
Write-Host "acrUseManagedIdentityCreds='$($settings.acrUseManagedIdentityCreds)'"
Write-Host "acrUserManagedIdentityID='$($settings.acrUserManagedIdentityId)'"

The acrUseManagedIdentityCreds should be set to true, and the acrUserManagedIdentityID should contain the GUID for your managed identity.

I did a blog post about this in more detail at https://nestenius.se/2024/08/27/deploy-a-container-to-azure-app-services-using-azure-cli-and-user-assigned-managed-identity/

Answer 2

For people doing Azure ML and getting the following error:

AzureMLCompute job failed.
AggregatedUnauthorizedAccessError: Failed to pull Docker image aaa.azurecr.io/bbb:latest. 
This error may occur because the compute could not authenticate with the Docker registry to pull the image. 
If using ACR please ensure the ACR has Admin user enabled or a Managed Identity with `AcrPull` access to the ACR is assigned to the compute. 
If the ACR Admin user's password was changed recently it may be necessary to synchronize the workspace keys.
Authentication methods attempted: Anonymous

You need to create compute with managed identity to access Docker images for training [this and this].

Answer 3

This is now possible by setting the acrUseManagedIdentityCreds property

Here is a tutorial with the steps: https://learn.microsoft.com/en-us/azure/app-service/tutorial-custom-container?pivots=container-linux#configure-app-service-to-deploy-the-image-from-the-registry

Here are the specific commands

1. Grant the managed identity permission to access the container registry:

az role assignment create --assignee <principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/<registry-name> --role "AcrPull"

2. Configure your app to use the managed identity to pull from Azure Container Registry

az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.acrUseManagedIdentityCreds=True

Answer 4

There is a mistake that you understand the Managed Identity of the Web App. The Managed Identity of the Web App is used to access other resources inside the web app container. It means the web app container is already running. But when you pull the image, the container does not run well. So it's impossible to use the Managed Identity to pull the images from ACR. You only can use the username and password to pull the images from ACR as it does.

Answer 5

To configure the App Service to pull from ACR, you can use the service principal approach and setup the access level as you already done.

https://github.com/Azure/app-service-linux-docs/blob/master/service_principal_auth_acr.md

as far as App Service with terraform goes, you could inject the settings for the ServicePrincipal credentials secret in Azure Key Vault using

https://www.terraform.io/docs/providers/azurerm/r/app_service.html#app_settings