Pull image from ACR

Question

I have created yaml file. i can deploy image to my app service

but i am getting error in pull image

1. this is my yaml file

      trigger:
        branches:
          include:
            - main # Adjust to your branch name
      
      pool:
        vmImage: 'ubuntu-latest'
      
      variables:
        - name: instructor
          value: Arhanti
        - name: imageName
          value: demo
      
      stages:
        - stage: Build
          jobs:
            - job: CheckAuthentication
              steps:
                - script: echo "hello [$(instructor)]"
                  displayName: Greetings
      
            - job: DockerBuild
              steps:
                - task: Docker@2
                  displayName: 'Docker Login'
                  inputs:
                    containerRegistry: 'AzureRegistery1'  # Ensure this matches your service connection name
                    command: 'login'
      
                - task: Docker@2
                  displayName: 'Build Docker Image'
                  inputs:
                    command: 'build'
                    repository: '$(imageName)' 
                    Dockerfile: '**/Dockerfile'
                    tags: '$(Build.BuildId)'
      
                - task: Docker@2
                  displayName: 'Push Docker Image'
                  inputs:
                    command: 'push'
                    repository: '$(imageName)'   # Same repository path for push
                    tags: '$(Build.BuildId)'  # Use the same tag as in the build step
                    containerRegistry: 'AzureRegistery1'  # Ensure this matches your service connection name
      
        - stage: Deploy
          jobs:
            - job: DeployToAppService
              steps:
                - task: AzureWebAppContainer@1
                  displayName: 'Deploy Docker Image to Azure App Service'
                  inputs:
                    azureSubscription: 'ResourceGroup'  # Azure subscription connected service name
                    appName: 'MySpringApp'  # Name of your Azure App Service
                    imageName: '$(imageName):$(Build.BuildId)'  # Full path with tag for App Service deployment
                    registryUrl: 'https://autopilotqa.azurecr.io'
                    dockerRegistryEndpoint: 'AzureRegistery1'  # Service connection to the Azure Container Registry
                    enableSystemAssignedManagedIdentity: true  # Ensures App Service uses managed identity
      
      
   

   1. i get this error:024-11-12T13:36:06.239Z INFO - Pulling image: demo:125 2024-11-12T13:36:06.841Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Head "https://registry-1.docker.io/v2/library/demo/manifests/125": unauthorized: incorrect username or password"} 2024-11-12T13:36:06.844Z ERROR - Pulling docker image demo:125 failed: 2024-11-12T13:36:07.858Z ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for demo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"} 2024-11-12T13:36:07.859Z WARN - Image pull failed. Defaulting to local copy if present. 2024-11-12T13:36:07.861Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository) 2024-11-12T13:36:13.261Z INFO - Stopping site myspringapp because it failed during startup.

Answer 1

@Arhanti Doshi Thanks for reply!

As you have Set up Managed Identity for the Web Apps for Containers below few points needs to be cross checked-

• The instructions only apply to Linux based containers configurations.
• Ensure Webapp and the Azure Container registry must be on the same azure subscription
• Important to note that - Accessing a container registry on a different subscription is currently not supported.

Further I am sharing detailed Steps for - Managed Identity can be enabled through the portal as well with the following steps. Please cross check-

In this case, System Assigned Identity is used - steps for User Assigned Identity will essentially be the same.

1. Enable System Assigned Identity by turning the Status to "On" and then select "Yes" on the popup to enable it:
2. Go to Deployment Center in the Azure Portal and enter the details needed - ensure that Authentication is set to Managed Identity:
3. After successfully setting the image and authentication type from the portal, the AcrPull role should automatically be added to this identity. You can validate this by going to the Azure Portal -> Identity -> and click on Azure role assignments:
4. At this point, the image pull should be successful - this can be validated in Application Logs. For troubleshooting, see the Troubleshooting section below.

Generate and assign the System Assigned Managed Identity-

1. Below we generate and assign a System Assigned Managed Identity and configure the application to use the output principal (Object) ID. az webapp identity assign --resource-group <group-name> --name <app-name> --query principalId --output tsv NOTE: To assign an Identity to a slot, use the --slot parameter on az webapp identity assign. Review documentation usage here .
2. Grant the Identity access to the Azure Container Registry- Get the resource URI of your container registry by running the following command: az acr show --resource-group <group-name> --name <registry-name> --query id --output tsv
3. Next, we will grant this identity the 'pull' role on the targeted Azure Container Registry. In this case only the 'acrpull' role is assigned. az role assignment create --assignee <principal-id> --scope <registry-resource-id> --role "AcrPull"
4. Lastly, we configure the application to use the Managed Identity that we created and assigned to the application: az webapp config set --resource-group <group-name> --name <app-name> --generic-configurations '{"acrUseManagedIdentityCreds": true}' Through Deployment Center or the CLI, set the image and tag that needs to be pulled from Azure Container Registry.
5. More information on Azure Container Registry roles and permissions can be found here .

For Generating and assign the User Assigned Managed Identity

User Assigned identity steps are essentially the same. The below are commands to walk through how to create the identity, as seen here 

Confirm this is working

To validate this is working ensure that 'Admin User' is disabled on the Azure Container Registry that is being targeted. After successfully enabling a Managed Identity in the above scenario - the DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD are no longer needed if the Web App for Container was initially created with this.

Troubleshoot steps-

• In docker.log (and our platform logging like the Application Logs detector), a container with the name yourapp_0_000000_msiProxy will be created. This is the "token service" container that is used whenever a customer enabled Managed Identity.
• Ensure the Managed Identity being used actually has the AcrPull role assigned to it.
• Validate if the container is still using 'Admin User Credentials' against the Azure Container Registry.
• Under [resources.azure.com]  ensure that the property acrManagedIdentityCreds for the application in question is not set to false.
• Check if the Managed Identity ObjectID visible in the portal under the Identity tab is the same one initially set up with to authenticate to ACR. If the prior Managed Identity was deleted or changed without updating the Web App for Container, this may cause an authentication error.
• If Azure Container Registry is set to only allow certain IP's but the pull is done over one that is not whitelisted
• If the App Service is VNET integrated (and the ACR has a Private Endpoint) but the App Service is not explicitly set to pull images through the VNET. In this case, the pull may happen over a public IP.
• A misconfigured VNET set up (as well on the ACR side)

Hope this helps- Please let us know if query remains.