Using Azure Web App for Containers with managed identity

Question

Deployed an Azure App service for Containers with a custom image (from Centos 7 base image). Based on the following documentation There is an environment variable that should be set by Azure and used for creating the REST API request to obtain an access token:

IDENTITY_ENDPOINT - the URL to the local token service.

However, when checking inside the container, this variable is not set:

[root@f22dfd74be31 ~]# echo $IDENTITY_ENDPOINT
(empty result here)

I've also tried to invoke az cli, which fails as well:

[root@f22dfd74be31 ~]# az login -i
AzureConnectionError: Failed to connect to MSI. Please make sure MSI is configured correctly 
and check the network connection.
Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with 
url: /metadata/identity/oauth2/token?resource=https%3
A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by 
NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))

I've successfully used managed identity with both Virtual machines and App Service (code deployment not containers), is it supported with App Service for containers, with custom containers?

Setec Astronomy · Accepted Answer

When working with App service for containers the "platform" environment variables, including managed identity and app settings are only available when the container is initialized. In order to make these variables accessible from the container, the following line must be incorporated in the container startup script (called from Dockerfile ENTRYPOINT):

eval $(printenv | sed -n "s/^$[^=]\+$=$.*$$/export \1=\2/p" | sed 's/"/\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)

Using Azure Web App for Containers with managed identity

Answers (2)

Related Questions