dockerazure-devopsterraformazure-functionsazure-container-registry

Access denied for '***', repository does not exist or may require 'docker login': denied: requested access to the resource is denied


I need help with setting up azure function app application from docker image.

I've prepared docker image and pushed it to ACR using Azure DevOps pipeline (image was tested and it is perfectly fine working).
I have terraform script:

locals {
  app_settings_function_app = {
    Environment                         = title(var.ENVIRONMENT)
    WEBSITES_ENABLE_APP_SERVICE_STORAGE = "true"
    WEBSITE_ENABLE_SYNC_UPDATE_SITE     = "true"

    # Application Insight Settings
    APPINSIGHTS_INSTRUMENTATIONKEY                  = module.project-appinsights.instrumentation_key
    APPLICATIONINSIGHTS_CONNECTION_STRING           = module.project-appinsights.connection_string
    APPINSIGHTS_PROFILERFEATURE_VERSION             = "1.0.0"
    APPINSIGHTS_SNAPSHOTFEATURE_VERSION             = "1.0.0"
    APPLICATIONINSIGHTS_CONFIGURATION_CONTENT       = ""
    ApplicationInsightsAgent_EXTENSION_VERSION      = "~3"
    DiagnosticServices_EXTENSION_VERSION            = "~3"
    InstrumentationEngine_EXTENSION_VERSION         = "disabled"
    SnapshotDebugger_EXTENSION_VERSION              = "disabled"
    XDT_MicrosoftApplicationInsights_BaseExtensions = "disabled"
    XDT_MicrosoftApplicationInsights_Mode           = "recommended"
    XDT_MicrosoftApplicationInsights_PreemptSdk     = "disabled"
    ASPNETCORE_ENVIRONMENT                          = var.ASPNETCORE_ENVIRONMENT
    FUNCTIONS_WORKER_RUNTIME                        = "dotnet-isolated"
    WeatherProcessFunctionSchedule                  = var.WORKER_SCHEDULE
    AzureWebJobsStorage                             = module.storage_account_wmtsweather.primary_connection_string
    WEBSITES_ENABLE_APP_SERVICE_STORAGE             = "true"
    AZURE_CLIENT_ID                                 = data.azurerm_user_assigned_identity.project-id.client_id
  }
  wmtsweather_function_app_name = "${var.PROJECTNAME}-function-app-${local.environment_short_name}-${var.INDEX}"
}

resource "azurerm_linux_function_app" "wmtsweather-function_app" {
  name                = local.wmtsweather_function_app_name
  resource_group_name = data.azurerm_resource_group.project-rg.name
  location            = data.azurerm_resource_group.project-rg.location
  service_plan_id     = module.service_plan_linux.id

  identity {
    type         = "UserAssigned"
    identity_ids = [data.azurerm_user_assigned_identity.project-id.id]
  }

  key_vault_reference_identity_id = data.azurerm_user_assigned_identity.project-id.id

  site_config {
    always_on = "true"

    # uncomment this when you use internal ACR, comment when use public repo
    container_registry_managed_identity_client_id = data.azurerm_user_assigned_identity.project-id.client_id
    container_registry_use_managed_identity       = "true"
    
    ftps_state                = "Disabled"
    minimum_tls_version       = "1.2"

      application_stack {
        docker {
          registry_url        = "registr_url.io"
          image_name          = "wmts/wmtsweathergenerator-downloader"
          image_tag           = "latest"
        }
      }
    }

  storage_account_name        = module.storage_account_wmtsweather.name
  storage_account_access_key  = module.storage_account_wmtsweather.primary_access_key

  storage_account {
    access_key          = module.storage_account_wmtsweather.primary_access_key
    account_name        = module.storage_account_wmtsweather.name
    name                = module.storage_account_wmtsweather.name
    share_name          = azurerm_storage_share.wmts-local-storage-share.name
    type                = "AzureFiles"
    mount_path          = var.STORAGE_MUNT_PATH
  }
  
  app_settings          = local.app_settings_function_app
  tags = module.common_tags.tags

  lifecycle {
    ignore_changes = [
      app_settings["DOCKER_CUSTOM_IMAGE_NAME"],
      tags["dateStart"]
    ]
  }
}

# Set policy for webapp/function in the project key vault
resource "azurerm_key_vault_access_policy" "wmtsweather-function_app" {
  key_vault_id = data.azurerm_key_vault.project-kv.id
  tenant_id    = data.azurerm_key_vault.project-kv.tenant_id
  object_id    = data.azurerm_user_assigned_identity.project-id.principal_id
  
  secret_permissions = [
    "Get", "List"
  ]
}

It creates function app with configured access to ACR by user assigned identity. I checked that created managed identity has role to access ACR: enter image description here

I've published created image by using Azure DevOps:

steps:
- task: AzureFunctionAppContainer@1
  displayName: 'Azure Function App on Container Deploy: wa-wmtsweather-function-app-d-01'
  inputs:
    azureSubscription: 'rg-wmtsweather-dev-01'
    appName: 'wa-wmtsweather-function-app-d-01'
    imageName: 'wmts/wmtsweathergenerator-downloader'

and receive an error:

2024-03-08T18:00:13.576Z WARN - Image pull failed. Defaulting to local copy if present.
2024-03-08T18:00:13.578Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2024-03-08T18:00:18.873Z INFO - Stopping site wa-i4wmtsweather-function-app-d-01 because it failed during startup.
2024-03-08T18:05:06.071Z INFO - Pulling image: wmts/wmtsweathergenerator-downloader
2024-03-08T18:05:07.275Z ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for wmts/wmtsweathergenerator-downloader, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}

Here is output of release script for this function app:

2024-03-08T16:44:21.7436956Z ##[section]Starting: Azure Function App on Container Deploy: wa-wmtsweather-function-app-d-01
2024-03-08T16:44:21.8535236Z ==============================================================================
2024-03-08T16:44:21.8536880Z Task         : Azure Functions for container
2024-03-08T16:44:21.8537264Z Description  : Update a function app with a Docker container
2024-03-08T16:44:21.8537390Z Version      : 1.233.0
2024-03-08T16:44:21.8537793Z Author       : Microsoft Corporation
2024-03-08T16:44:21.8538127Z Help         : https://aka.ms/azurefunctioncontainertroubleshooting
2024-03-08T16:44:21.8538259Z ==============================================================================
2024-03-08T16:44:22.8239515Z Got service connection details for Azure App Service:'wa-wmtsweather-function-app-d-01'
2024-03-08T16:44:24.8594333Z Trying to update App Service Configuration settings. Data: {"appCommandLine":null,"linuxFxVersion":"DOCKER|wmts/wmtsweathergenerator-downloader"}
2024-03-08T16:44:41.0757574Z Updated App Service Configuration settings.
2024-03-08T16:44:41.0765837Z Restarting App Service : wa-wmtsweather-function-app-d-01
2024-03-08T16:44:41.4346557Z App Service 'wa-wmtsweather-function-app-d-01' restarted successfully.
2024-03-08T16:44:41.4356048Z Updating App Service Application settings. Data: {"WEBSITES_ENABLE_APP_SERVICE_STORAGE":"false"}
2024-03-08T16:45:12.9581740Z Updated App Service Application settings and Kudu Application settings.
2024-03-08T16:45:19.0778496Z Successfully added release annotation to the Application Insight : ai-wmtsweather-dev-01
2024-03-08T16:45:20.8598644Z Successfully updated deployment History at https://wa-wmtsweather-function-app-d-01.scm.azurewebsites.net/api/deployments/7601709916319077
2024-03-08T16:45:21.3974212Z App Service Application URL: http://wa-wmtsweather-function-app-d-01.azurewebsites.net
2024-03-08T16:45:21.4173456Z ##[section]Finishing: Azure Function App on Container Deploy: wa-wmtsweather-function-app-d-01

I wonder if mine configuration is ok. Is docker section inside application_stack in terraform script is really needed? Or something completely different is causing this issue. I can mention that I successfully created another app with pretty similar configuration, within the same resource group and using the same managed identity. The only difference is that it was App service, not function app. I am not devOps, but simple developer and I'd appreciate help of someone with more knowledge.


Solution

  • I've found the solution and it turned out it was as stupid as it could be - I didn't specified full path to ACR image in Release configuration... The fixed yaml should look like this:

    steps:
    - task: AzureFunctionAppContainer@1
      displayName: 'Azure Function App on Container Deploy: wa-wmtsweather-function-app-d-01'
      inputs:
        azureSubscription: 'rg-wmtsweather-dev-01'
        appName: 'wa-wmtsweather-function-app-d-01'
        imageName: '<path_to_acr>/wmts/wmtsweathergenerator-downloader'