how to pull from acr

noneofyabizniz 0 Reputation points
2023-11-04T12:22:05.5466667+00:00

I have the following bicep file:

param application string = 'jsapp'
param environment string = 'dev'
param location string = 'westeurope'

var kvName = 'kv-${application}-${environment}'
var uamiName = 'uami-${application}-${environment}'
// var aspName = 'asp-${application}-${environment}'
var aspName = 'shared-app-service-plan'
var appName = 'app-${application}-${environment}'

var acrPullRoleDefinitionId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
// var keyVaultSecretsUserRoleDefinitionId = '4633458b-17de-408a-b874-0445c86b69e6'
// var keyVaultContributorRoleDefinitionId = 'f25e0fa2-a7c8-4377-a976-54943a77a395'
var keyVaultAdministratorRoleDefinitionId = '00482a5a-887f-4fb3-b363-3b7fe8e74483'

resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' existing = {
  name: 'subscriptionacr'
}

resource asp 'Microsoft.Web/serverfarms@2022-09-01' existing = {
  name: aspName
}

resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: uamiName
  location: location
}

resource kv 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: kvName
  location: location
  properties: {
    enableRbacAuthorization: true
    enabledForDeployment: true
    enabledForDiskEncryption: true
    enabledForTemplateDeployment: true
    tenantId: subscription().tenantId
    sku: {
      name: 'standard'
      family: 'A'
    }
  }
}

resource acrRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(acr.id, uami.id, acrPullRoleDefinitionId)
  scope: acr
  dependsOn: [acr]
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleDefinitionId)
    principalId: uami.properties.principalId
    principalType: 'ServicePrincipal'
  }
}

resource kvRbac 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(kv.id, uami.id, keyVaultAdministratorRoleDefinitionId)
  scope: kv
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultAdministratorRoleDefinitionId)
    principalId: uami.properties.principalId
    principalType: 'ServicePrincipal'
  }
}

resource app 'Microsoft.Web/sites@2022-09-01' = {
  name: appName
  dependsOn: [asp]
  location: location
  properties: {
    serverFarmId: asp.id
    siteConfig: {
      linuxFxVersion: 'DOCKER|${acr.properties.loginServer}/${application}-${environment}:latest'
      appSettings: [{
        name: 'DOCKER_ENABLE_CI'
        value: 'true'
      }]
    }
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${uami.id}': {}
    }
  }
}


Now it correctly creates a Web App, and this web app under "Identity" has the User-assigned managed identity.

The user-assigned managed identity has the AcrPull role.

However, in "deployment center" of the web app it says that it does not have access to the ACR, I still have to select the managed identity there and save it.

Please fix so I can have CI/CD set up correctly.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,784 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AirGordon 7,125 Reputation points
    2023-11-04T13:27:36.88+00:00

    As an app service can have multiple user managed identities, you need to explicitly specify which one to use.

    
      acrUseManagedIdentityCreds: bool
    
      acrUserManagedIdentityID: 'string'
    

    See https://learn.microsoft.com/en-us/azure/templates/microsoft.web/2022-03-01/sites?pivots=deployment-language-bicep

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.