Reputation: 11
Azure Key Vault reference in Azure App Service
I'm currently deploying a docker container to an Azure App Service slot.
I'm using a Linux based app service (App Service Plan S1) and the container is hosted in an Azure Container Registry.
I've configured the required DOCKER_REGISTRY_SERVER_* settings for the app service.
For the server password I'm using a key vault reference (@Microsoft.KeyVault(VaultName=my-vault;SecretName=my-secret)). I've created a managed identity for the app service slot and assigned the GET secret permission in the key vault. The app settings also show that it is a valid reference:
Successful key vault reference
However when I then try to browse to the website I get an error message in the logs stating that the pull request on ACR is unauthorized.
2022-01-24T09:21:33.589Z INFO - Pulling image: ******.azurecr.io/******:33819
2022-01-24T09:21:33.730Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://******.azurecr.io/v2/******/manifests/33819: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
2022-01-24T09:21:33.740Z ERROR - Pull image threw Exception: Input string was not in a correct format.
2022-01-24T09:21:33.747Z INFO - Pulling image from Docker hub: ******.azurecr.io/******:33819
2022-01-24T09:21:33.870Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://******.azurecr.io/v2/******/manifests/33819: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
2022-01-24T09:21:33.872Z WARN - Image pull failed. Defaulting to local copy if present.
When I replace the DOCKER_REGISTRY_SERVER_PASSWORD value with the actual password the app service is able to successfully pull the container and start the website.
Any reason why this wouldn't work?
Upvotes: 0
Views: 959
Answers (1)
Reputation: 3137
When I replace the DOCKER_REGISTRY_SERVER_PASSWORD value with the actual password the app service is able to successfully pull the container and start the website.
As your Container Registry does not have the access to the Azure Key Vault secrets, you are getting pull request on ACR is unauthorized error
You can assign System-Assigned managed identity to your Azure Container Registry and assign the GET secret permission in the key vault
Then you would be able to pull the container and start the website using the key vault reference only
Upvotes: 0
Related Questions
- "Key vault reference error" in azure web app configuration setting
- Key Vault reference in Azure App Service doesn't resolve
- Azure Application Access Only Key Vault Keys
- Azure App Config, Key Vault & Managed Service Identity (.NET Core 3.1)
- Web App Azure Portal - Key Vault Reference shows not connected
- Azure Key Vault with App Service connection error
- Azure Function Key Vault reference for certificates?
- Combine Azure Key Vault with Azure App Configuration
- Use Key Vault references for App Service via ARM template
- Azure App Service Container Managed Identity Key Vault in.NET Core C#