Pull image from ACR

Arhanti Doshi 65 Reputation points
2024-11-13T01:40:31.63+00:00

I have created yaml file. i can deploy image to my app service

but i am getting error in pull image

  1. this is my yaml file
       trigger:
         branches:
           include:
             - main # Adjust to your branch name
       
       pool:
         vmImage: 'ubuntu-latest'
       
       variables:
         - name: instructor
           value: Arhanti
         - name: imageName
           value: demo
       
       stages:
         - stage: Build
           jobs:
             - job: CheckAuthentication
               steps:
                 - script: echo "hello [$(instructor)]"
                   displayName: Greetings
       
             - job: DockerBuild
               steps:
                 - task: Docker@2
                   displayName: 'Docker Login'
                   inputs:
                     containerRegistry: 'AzureRegistery1'  # Ensure this matches your service connection name
                     command: 'login'
       
                 - task: Docker@2
                   displayName: 'Build Docker Image'
                   inputs:
                     command: 'build'
                     repository: '$(imageName)' 
                     Dockerfile: '**/Dockerfile'
                     tags: '$(Build.BuildId)'
       
                 - task: Docker@2
                   displayName: 'Push Docker Image'
                   inputs:
                     command: 'push'
                     repository: '$(imageName)'   # Same repository path for push
                     tags: '$(Build.BuildId)'  # Use the same tag as in the build step
                     containerRegistry: 'AzureRegistery1'  # Ensure this matches your service connection name
       
         - stage: Deploy
           jobs:
             - job: DeployToAppService
               steps:
                 - task: AzureWebAppContainer@1
                   displayName: 'Deploy Docker Image to Azure App Service'
                   inputs:
                     azureSubscription: 'ResourceGroup'  # Azure subscription connected service name
                     appName: 'MySpringApp'  # Name of your Azure App Service
                     imageName: '$(imageName):$(Build.BuildId)'  # Full path with tag for App Service deployment
                     registryUrl: 'https://autopilotqa.azurecr.io'
                     dockerRegistryEndpoint: 'AzureRegistery1'  # Service connection to the Azure Container Registry
                     enableSystemAssignedManagedIdentity: true  # Ensures App Service uses managed identity
       
       
    
    1. i get this error:024-11-12T13:36:06.239Z INFO - Pulling image: demo:125 2024-11-12T13:36:06.841Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Head "https://registry-1.docker.io/v2/library/demo/manifests/125": unauthorized: incorrect username or password"} 2024-11-12T13:36:06.844Z ERROR - Pulling docker image demo:125 failed: 2024-11-12T13:36:07.858Z ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for demo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"} 2024-11-12T13:36:07.859Z WARN - Image pull failed. Defaulting to local copy if present. 2024-11-12T13:36:07.861Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository) 2024-11-12T13:36:13.261Z INFO - Stopping site myspringapp because it failed during startup.
Azure Spring Apps
Azure Spring Apps
An Azure platform as a service for running Spring Boot applications at cloud scale. Previously known as Azure Spring Cloud.
130 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,151 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SnehaAgrawal-MSFT 22,006 Reputation points
    2024-11-14T11:07:01.5266667+00:00

    @Arhanti Doshi Thanks for reply!

    As you have Set up Managed Identity for the Web Apps for Containers below few points needs to be cross checked-

    • The instructions only apply to Linux based containers configurations.
    • Ensure Webapp and the Azure Container registry must be on the same azure subscription
    • Important to note that - Accessing a container registry on a different subscription is currently not supported.

    Further I am sharing detailed Steps for - Managed Identity can be enabled through the portal as well with the following steps. Please cross check-

    In this case, System Assigned Identity is used - steps for User Assigned Identity will essentially be the same.

    1. Enable System Assigned Identity by turning the Status to "On" and then select "Yes" on the popup to enable it: image.png
    2. Go to Deployment Center in the Azure Portal and enter the details needed - ensure that Authentication is set to Managed Identity: image.png
    3. After successfully setting the image and authentication type from the portal, the AcrPull role should automatically be added to this identity. You can validate this by going to the Azure Portal -> Identity -> and click on Azure role assignments: image.png image.png
    4. At this point, the image pull should be successful - this can be validated in Application Logs. For troubleshooting, see the Troubleshooting section below.

    Generate and assign the System Assigned Managed Identity-

    1. Below we generate and assign a System Assigned Managed Identity and configure the application to use the output principal (Object) ID. az webapp identity assign --resource-group <group-name> --name <app-name> --query principalId --output tsv NOTE: To assign an Identity to a slot, use the --slot parameter on az webapp identity assign. Review documentation usage here .
    2. Grant the Identity access to the Azure Container Registry- Get the resource URI of your container registry by running the following command: az acr show --resource-group <group-name> --name <registry-name> --query id --output tsv
    3. Next, we will grant this identity the 'pull' role on the targeted Azure Container Registry. In this case only the 'acrpull' role is assigned. az role assignment create --assignee <principal-id> --scope <registry-resource-id> --role "AcrPull"
    4. Lastly, we configure the application to use the Managed Identity that we created and assigned to the application: az webapp config set --resource-group <group-name> --name <app-name> --generic-configurations '{"acrUseManagedIdentityCreds": true}' Through Deployment Center or the CLI, set the image and tag that needs to be pulled from Azure Container Registry.
    5. More information on Azure Container Registry roles and permissions can be found here .

    For Generating and assign the User Assigned Managed Identity

    User Assigned identity steps are essentially the same. The below are commands to walk through how to create the identity, as seen here 

    Confirm this is working

    To validate this is working ensure that 'Admin User' is disabled on the Azure Container Registry that is being targeted. After successfully enabling a Managed Identity in the above scenario - the DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD are no longer needed if the Web App for Container was initially created with this.

    Troubleshoot steps-

    • In docker.log (and our platform logging like the Application Logs detector), a container with the name yourapp_0_000000_msiProxy will be created. This is the "token service" container that is used whenever a customer enabled Managed Identity.
    • Ensure the Managed Identity being used actually has the AcrPull role assigned to it.
    • Validate if the container is still using 'Admin User Credentials' against the Azure Container Registry.
    • Under [resources.azure.com]  ensure that the property acrManagedIdentityCreds for the application in question is not set to false.
    • Check if the Managed Identity ObjectID visible in the portal under the Identity tab is the same one initially set up with to authenticate to ACR. If the prior Managed Identity was deleted or changed without updating the Web App for Container, this may cause an authentication error.
    • If Azure Container Registry is set to only allow certain IP's but the pull is done over one that is not whitelisted
    • If the App Service is VNET integrated (and the ACR has a Private Endpoint) but the App Service is not explicitly set to pull images through the VNET. In this case, the pull may happen over a public IP.
    • A misconfigured VNET set up (as well on the ACR side)

    Hope this helps- Please let us know if query remains.

     

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.