azureazure-container-registryazure-managed-identity

How to authenticate with Azure ACR from Azure container app service


I'm trying to set up my App Container Service so that it can pull docker images from our ACR using Managed Identity, rather than storing the username and password in the app settings (apart from anything else we want to script these deployments and if the username and password are needed by the app service then we'd have to store them in source control).

Unbelievably, I cannot find any docs on this scenario. The closest I've found is using Managed Identity to pull an ACR image from a VM [https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity] , which I can't use as a guide as the final step (the only bit I'm missing) is to SSH into the VM and run az acr login --name myContainerRegistry at the command line.

Where I've got to:

I don't know what to do next; like I said, I can't find any guides on this scenario.


Solution

  • To configure the App Service to pull from ACR, you can use the service principal approach and setup the access level as you already done.

    https://github.com/Azure/app-service-linux-docs/blob/master/service_principal_auth_acr.md

    as far as App Service with terraform goes, you could inject the settings for the ServicePrincipal credentials secret in Azure Key Vault using

    https://www.terraform.io/docs/providers/azurerm/r/app_service.html#app_settings