I'm trying to set up my App Container Service so that it can pull docker images from our ACR using Managed Identity, rather than storing the username and password in the app settings (apart from anything else we want to script these deployments and if the username and password are needed by the app service then we'd have to store them in source control).
Unbelievably, I cannot find any docs on this scenario. The closest I've found is using Managed Identity to pull an ACR image from a VM [https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity] , which I can't use as a guide as the final step (the only bit I'm missing) is to SSH into the VM and run az acr login --name myContainerRegistry
at the command line.
Where I've got to:
ACR Pull
and Reader
to the system-assigned Identity of the app serviceI don't know what to do next; like I said, I can't find any guides on this scenario.
To configure the App Service to pull from ACR, you can use the service principal approach and setup the access level as you already done.
https://github.com/Azure/app-service-linux-docs/blob/master/service_principal_auth_acr.md
as far as App Service with terraform goes, you could inject the settings for the ServicePrincipal credentials secret in Azure Key Vault using
https://www.terraform.io/docs/providers/azurerm/r/app_service.html#app_settings