how to pull from acr

noneofyabizniz 0 Reputation points

I have the following bicep file:

param application string = 'jsapp'
param environment string = 'dev'
param location string = 'westeurope'

var kvName = 'kv-${application}-${environment}'
var uamiName = 'uami-${application}-${environment}'
// var aspName = 'asp-${application}-${environment}'
var aspName = 'shared-app-service-plan'
var appName = 'app-${application}-${environment}'

var acrPullRoleDefinitionId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
// var keyVaultSecretsUserRoleDefinitionId = '4633458b-17de-408a-b874-0445c86b69e6'
// var keyVaultContributorRoleDefinitionId = 'f25e0fa2-a7c8-4377-a976-54943a77a395'
var keyVaultAdministratorRoleDefinitionId = '00482a5a-887f-4fb3-b363-3b7fe8e74483'

resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' existing = {
  name: 'subscriptionacr'

resource asp 'Microsoft.Web/serverfarms@2022-09-01' existing = {
  name: aspName

resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: uamiName
  location: location

resource kv 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: kvName
  location: location
  properties: {
    enableRbacAuthorization: true
    enabledForDeployment: true
    enabledForDiskEncryption: true
    enabledForTemplateDeployment: true
    tenantId: subscription().tenantId
    sku: {
      name: 'standard'
      family: 'A'

resource acrRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(,, acrPullRoleDefinitionId)
  scope: acr
  dependsOn: [acr]
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleDefinitionId)
    principalType: 'ServicePrincipal'

resource kvRbac 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(,, keyVaultAdministratorRoleDefinitionId)
  scope: kv
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultAdministratorRoleDefinitionId)
    principalType: 'ServicePrincipal'

resource app 'Microsoft.Web/sites@2022-09-01' = {
  name: appName
  dependsOn: [asp]
  location: location
  properties: {
    siteConfig: {
      linuxFxVersion: 'DOCKER|${}/${application}-${environment}:latest'
      appSettings: [{
        name: 'DOCKER_ENABLE_CI'
        value: 'true'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${}': {}

Now it correctly creates a Web App, and this web app under "Identity" has the User-assigned managed identity.

The user-assigned managed identity has the AcrPull role.

However, in "deployment center" of the web app it says that it does not have access to the ACR, I still have to select the managed identity there and save it.

Please fix so I can have CI/CD set up correctly.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,087 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AirGordon 6,775 Reputation points

    As an app service can have multiple user managed identities, you need to explicitly specify which one to use.

      acrUseManagedIdentityCreds: bool
      acrUserManagedIdentityID: 'string'


    0 comments No comments