Reputation: 4051
How can I use a SystemAssigned identity when pulling an image from Azure Container Registry into Azure Container Instances?
I want to create a container (or container group) in Azure Container Instances, pulling the image(s) from Azure Container Registry - but with using a SystemAssigned identity. With that I want to avoid using ACR login credentials, a service principal or a UserAssigned identity.
When I run this script (Azure CLI in PowerShell) ...
$LOC = "westeurope"
$RG = "myresourcegroup"
$ACRNAME = "myacr"
az configure --defaults location=$LOC group=$RG
$acr = az acr show -n $ACRNAME -o json | ConvertFrom-Json -Depth 10
az container create --name app1 --image $($acr.loginServer+"/app1") `
--assign-identity --role acrpull --scope $acr.id `
--debug
... ACI does not seem to recognize that it should be already authorized for ACR and shows this prompt:
Image registry username:
Azure CLI version: 2.14.0
Does this make sense? Is the ACI managed identity supported for ACR?
Upvotes: 5
Views: 2379
Answers (4)
Reputation: 825
This solution will not use managed identity, and it is important to note that we will need owner role at least on the resource group level.
The main idea is to use service principals to get the access using the acrpull role. See the following PowerShell script:
$resourceGroup = (az group show --name $resourceGroupName | ConvertFrom-Json )
$containerRegistry = (az acr show --name $containerRegistryName | ConvertFrom-Json)
$servicePrincipal = (az ad sp create-for-rbac `
--name "${containerRegistryName}.azurecr.io" `
--scopes $containerRegistry.id `
--role acrpull `
| ConvertFrom-Json )
az container create `
--name $containerInstanceName `
--resource-group $resourceGroupName `
--image $containerImage `
--command-line "tail -f /dev/null" `
--registry-login-server "${containerRegistryName}.azurecr.io" `
--registry-username $servicePrincipal.appId `
--registry-password $servicePrincipal.password
Please note that we have created a service principal, so we also need to remove that:
az ad sp delete --id $servicePrincipal.appId
There is a documentation on how to do that:
Deploy to Azure Container Instances from Azure Container Registry
Update:
I think the --registry-login-server ${containerRegistryName}.azurecr.io" option was missing.
Upvotes: 1
Reputation: 4051
From Jan 2022 on managed identity is supported on Azure Container Instance to access Azure Container Registry: https://learn.microsoft.com/en-us/azure/container-instances/using-azure-container-registry-mi
Upvotes: 2
Reputation: 1
@minus_one -solution do not work in my case. Runbook to make container registry. It does need more priviledges than stated in here... https://github.com/Azure/azure-powershell/issues/3215
Upvotes: 0
Reputation: 28294
In your code, when you create an Azure container with a managed identity that is being created at the ACI creating time to authenticate to ACR. I am afraid that you can not do that because there are limitations
You can't use a managed identity to pull an image from Azure Container Registry when creating a container group. The identity is only available within a running container.
Upvotes: 2
Related Questions
- How to authenticate with Azure ACR from Azure container app service
- Using Azure Managed Identity in a Docker container running on an Azure VM
- How to pull image from existing azure container registry?
- Pull Azure Container Registry image from App Service using Managed Identity
- Set and get owner of azure container registry image
- Azure Service Principal pull images from Container Registry
- Why does one need to login into the Azure Container registry before pulling the images from it, i.e. az login is not good enough?
- Account based image pull permission in Azure Container Registry
- How do I reuse an existing service principal to push images to Azure Container Registry?
- How to pull container image from docker registry to deploy azure container