Azure Container Registry need to be Admin user enabled to let be consumed in Container App Environment
I have Azure Container App and Azure Container Registry.
When I create new Azure Container App manually via Portal, it does not allow that
Cannot access ACR 'acrname.azurecr.io' because admin credentials on the ACR are disabled.
When I enable Admin user of Azure Container Registry, it works of course. As I read it is suggested to be disabled. My only question, is it possible to consume registry via portal for given users, without enabling admin user?
To consume an Azure Container Registry in a Container App environment via the Azure portal, the admin user of the registry needs to be enabled. However, it is recommended to disable the admin user for security reasons. One solution is to enable the admin user to configure the Container App through the portal. After setting up, disable the admin user and rely on the service principal for runtime authentication from the Container App.
az acr update -n <acr_name> --admin-enabled false
Another possible solution is to use a managed identity or service principal to pull images from the registry, which eliminates the need for admin credentials.
To securely connect an Azure Container App to an Azure Container Registry (ACR) without enabling the ACR admin user, you can use a managed identity or a service principal.
Below are detailed steps for both methods
Using a Managed Identity (Option A)
Step 1: Enable Managed Identity on Azure Container App
- Navigate to your Azure Container App in the Azure Portal.
- Under Settings, find and select "Identity".
- In the System assigned tab, switch the Status to "On" and click "Save". This action creates a managed identity for your Azure Container App.
Step 2: Assign Role to Managed Identity for ACR Access
- Go to your Azure Container Registry in the Azure Portal.
- Under Settings, select "Access control (IAM)".
- Click on "Add role assignment".
- For the role, select "ACR Pull" to allow the managed identity to pull images from this registry.
- In the "Select" field, enter the name of your Azure Container App to find the managed identity associated with it.
- Select the managed identity and then click "Save" to assign the role.
This setup grants the Azure Container App's managed identity permission to pull images from the ACR without needing explicit credentials.
Using a Service Principal (Option B)
If for some reason you prefer using a service principal over a managed identity, follow these steps:
Step 1: Create a Service Principal
Goto Microsoft Entra ID-> app registration-> create new registration-> give a name-> choose tenant type and register.
Once created, note down the client id, tenant id, and go to certificates and secrets and create a secret which you will use later for authentication.
then go to your acr and under IAM add roles, you can add acr pull, push or straightaway owner role for complete access. Make sure to select service principal option.
Also ensure you have the roles assigned under your resource group and subscription level as well to avoid permission denied error message.
goto your resource-group -> IAM-> Add roles-> add your choice of roles-> select service principal
repeat the process under your subscription as well
Now try connecting to your acr via azure cli or command prompt using-
az login --service-principal --username <app_id> --password <client_secret> --tenant <tenant_id>
Step 3: Deploy Container Using New Settings
With the service principal configured in your Azure Container App settings, it will use these credentials to pull the container image from ACR during deployment.
References:
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs