Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
458 questions
ACR pull role for system managed identity is not created when provisioning Container Apps using bicep
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 77%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Mauricio Rojas
20
Reputation points
We are creating an Azure managed application that installs several resources, including container apps.
We created a bicep file for provisioning a container app with system assigned managed identity. We added an ACR pull role assignment (AcrPull) for the identity to the ACR and verified that the role assignment is not being provisioned, causing the container app to not being able to pull the image to create a revision.
The error message we receive during the installation of the AMA is "Failed to provision revision for container app {container-app-name}. Error details: Operation expired".
Is worth mentioning that using user assigned identity or ACR username and password works, the issue is that the role assignment is not created for system assigned managed identity.
The bicep code can be found below. Several settings were removed for clarity, such as container app environment variables.
param location string
param containerAppCpu string
param containerAppEnvironmentName string
param containerAppImageName string
param containerAppImageTag string
param containerAppMaxReplicas int
param containerAppMemory string
param containerAppMinReplicas int
param containerAppName string
param containerRegistryName string
param containerRegistrySku string = 'Standard'
param logAnalyticsWorkspaceName string
var acrPullRoleObjectId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: logAnalyticsWorkspaceName
}
resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' = {
name: containerAppEnvironmentName
location: location
properties: {
appLogsConfiguration: {
destination: 'log-analytics'
logAnalyticsConfiguration: {
customerId: logAnalyticsWorkspace.properties.customerId
sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
}
}
}
}
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-09-01' = {
name: containerRegistryName
location: location
sku: {
name: containerRegistrySku
}
properties: {
adminUserEnabled: false
}
}
resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
name: containerAppName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
managedEnvironmentId: containerAppEnvironment.id
configuration: {
activeRevisionsMode: 'Single'
secrets: []
registries: [
{
server: containerRegistry.properties.loginServer
identity: 'SystemAssigned'
}
]
ingress: {
external: true
targetPort: 7072
transport: 'auto'
}
}
template: {
containers: [
{
name: 'image-name'
image: '${containerRegistry.properties.loginServer}/${containerAppImageName}:${containerAppImageTag}'
resources: {
cpu: json(containerAppCpu)
memory: containerAppMemory
}
env: []
}
]
scale: {
minReplicas: containerAppMinReplicas
maxReplicas: containerAppMaxReplicas
}
}
}
}
resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(containerApp.id, 'acrpull')
scope: containerRegistry
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleObjectId)
principalId: containerApp.identity.principalId
}
}
Sign in to answer