We have an ACR which is in a separate resource group from the App Service that is attempting to pull images from it. Now we are brainstorming ways to get either credentials, or Managed Identities on the App Service that will allow pulling containers for runtime.
I've been combing through documentation to see how this might work with Managed Identities, but I'm currently unsure if this is possible. I am used to setting up the environment variables for auth e.g. DOCKER_REGISTRY_SERVER_PASSWORD, but am not sure if there is an interface for a Managed Identity to use an access policy to the ACR instead. I bring it up because I see some documentation around using this for AKS and an IaaS VM, but App Service is somewhere between those two and I'm not seeing a definitive answer on whether this is possible.
I haven't tested this yet, but am wondering, if I were to assign the acrPull policy to the managed identity, would App Service be able to pull the image from the ACR? Would I just be able to specify DOCKER_REGISTRY_SERVER_URL inside App Settings for this to work?
CodePudding user response:
According to this tutorial, it is possible. Steps 6 and 7:
- Grant the managed identity permission to access the container registry:
az role assignment create --assignee <principal-id> ` --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<registry-name> ` --role "AcrPull" - Configure your app to use the managed identity to pull from Azure Container Registry.
az resource update ` --ids /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Web/sites/<app-name>/config/web ` --set properties.acrUseManagedIdentityCreds=True