Deploying Azure Function via bicep templates with custom docker container is not working

Question

We are trying to deploy an azure function behind private endpoint and using custom docker container image that we store in a Azure Container Registry. We are using bicep templates to deploy the necessary resources automatically. The issue we are faced with is the authorization between the azure function and azure container registry is not working properly unless we re-save the settings through the Azure portal. Is there a command that can be used via DevOps pipelines that will perhaps refresh the credentials for the azure function's system managed id since the bicep template assigns an AcrPull role against the resource group where the container registry is contained.

@Mike Urnun tagging you for visibility

Answer 1

Hello @JANKULOSKI Dame -C I O

This example below uses the Azure CLI task in Azure DevOps to run the az functionapp identity assign command. It assigns the "AcrPull" role to the Azure function's system-managed identity, allowing the function to access the container registry in the specified resource group.

You can also use the "az functionapp identity delete" command to delete the Azure function's system-managed identity and create a new one. This can be useful if you are experiencing issues with the current identity.source-group --role AcrPull

- task: AzureCLI@2
  inputs:
    azureSubscription: 'my-subscription'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az functionapp identity assign --name my-function --resource-group my-resource-group --role AcrPull

For more information on these commands and how to use them, you can refer to the Azure documentation on system-managed identities for Azure functions. https://learn.microsoft.com/en-us/azure/spring-apps/tutorial-managed-identities-functions

I hope this helps! Let me know if you have any other questions.

Please "Accept as Answer" and Upvote if it helped, so that it can help others in the community looking for help on similar topics. Thank you!

Answer 2

Hello @Abdul Sajid Mohammed

Thanks for providing those tips. I can confirm that we were assigning the system assigned identity via bicep templates, similar to how the Azure CLI would do it. The issue is not with the fact that the system assigned identity is enabled or us being able to assign it AcrPull role.

When running the Azure CLI command via DevOps pipeline to set the proper container registry and docker image we get the warning below, and I'm assuming that is part of the problem.

--

WARNING: No credential was provided to access Azure Container Registry. Trying to look up...

Answer 3

azureFunction - Copy.txt

Answer 4

@JANKULOSKI Dame -C I O
Apologies we haven't been able to get back to you on this issue. To further investigate we would like to offer you free technical support so you can work directly with a support engineer. I also recommend posting your issue on the DevOps specific forum so our experts in that service can review.

To further troubleshoot this, we're going to enable a free, one time technical support ticket. Please email the following to AzCommunity@microsoft.com and we'll get back to you promptly:

• Subject: "Attn: deherman - "

• Email body: Your Subscription ID

• Email body: A link to this thread so we can validate and expedite the request

If you don't receive a response within 24 hours, please reply to the thread so we can investigate.