As an app service can have multiple user managed identities, you need to explicitly specify which one to use.
acrUseManagedIdentityCreds: bool
acrUserManagedIdentityID: 'string'
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have the following bicep file:
param application string = 'jsapp'
param environment string = 'dev'
param location string = 'westeurope'
var kvName = 'kv-${application}-${environment}'
var uamiName = 'uami-${application}-${environment}'
// var aspName = 'asp-${application}-${environment}'
var aspName = 'shared-app-service-plan'
var appName = 'app-${application}-${environment}'
var acrPullRoleDefinitionId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
// var keyVaultSecretsUserRoleDefinitionId = '4633458b-17de-408a-b874-0445c86b69e6'
// var keyVaultContributorRoleDefinitionId = 'f25e0fa2-a7c8-4377-a976-54943a77a395'
var keyVaultAdministratorRoleDefinitionId = '00482a5a-887f-4fb3-b363-3b7fe8e74483'
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' existing = {
name: 'subscriptionacr'
}
resource asp 'Microsoft.Web/serverfarms@2022-09-01' existing = {
name: aspName
}
resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: uamiName
location: location
}
resource kv 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: kvName
location: location
properties: {
enableRbacAuthorization: true
enabledForDeployment: true
enabledForDiskEncryption: true
enabledForTemplateDeployment: true
tenantId: subscription().tenantId
sku: {
name: 'standard'
family: 'A'
}
}
}
resource acrRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(acr.id, uami.id, acrPullRoleDefinitionId)
scope: acr
dependsOn: [acr]
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleDefinitionId)
principalId: uami.properties.principalId
principalType: 'ServicePrincipal'
}
}
resource kvRbac 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid(kv.id, uami.id, keyVaultAdministratorRoleDefinitionId)
scope: kv
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultAdministratorRoleDefinitionId)
principalId: uami.properties.principalId
principalType: 'ServicePrincipal'
}
}
resource app 'Microsoft.Web/sites@2022-09-01' = {
name: appName
dependsOn: [asp]
location: location
properties: {
serverFarmId: asp.id
siteConfig: {
linuxFxVersion: 'DOCKER|${acr.properties.loginServer}/${application}-${environment}:latest'
appSettings: [{
name: 'DOCKER_ENABLE_CI'
value: 'true'
}]
}
}
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${uami.id}': {}
}
}
}
Now it correctly creates a Web App, and this web app under "Identity" has the User-assigned managed identity.
The user-assigned managed identity has the AcrPull role.
However, in "deployment center" of the web app it says that it does not have access to the ACR, I still have to select the managed identity there and save it.
Please fix so I can have CI/CD set up correctly.
As an app service can have multiple user managed identities, you need to explicitly specify which one to use.
acrUseManagedIdentityCreds: bool
acrUserManagedIdentityID: 'string'