ACR pull role for system managed identity is not created when provisioning Container Apps using bicep

Mauricio Rojas 20 Reputation points
2024-11-12T21:21:53.4066667+00:00

We are creating an Azure managed application that installs several resources, including container apps.

We created a bicep file for provisioning a container app with system assigned managed identity. We added an ACR pull role assignment (AcrPull) for the identity to the ACR and verified that the role assignment is not being provisioned, causing the container app to not being able to pull the image to create a revision.

The error message we receive during the installation of the AMA is "Failed to provision revision for container app {container-app-name}. Error details: Operation expired".

Is worth mentioning that using user assigned identity or ACR username and password works, the issue is that the role assignment is not created for system assigned managed identity.

The bicep code can be found below. Several settings were removed for clarity, such as container app environment variables.

param location string
param containerAppCpu string
param containerAppEnvironmentName string
param containerAppImageName string
param containerAppImageTag string
param containerAppMaxReplicas int
param containerAppMemory string
param containerAppMinReplicas int
param containerAppName string
param containerRegistryName string
param containerRegistrySku string = 'Standard'
param logAnalyticsWorkspaceName string

var acrPullRoleObjectId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'

resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
  name: logAnalyticsWorkspaceName
}

resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' = {
  name: containerAppEnvironmentName
  location: location
  properties: {
    appLogsConfiguration: {
      destination: 'log-analytics'
      logAnalyticsConfiguration: {
        customerId: logAnalyticsWorkspace.properties.customerId
        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
      }
    }
  }
}

resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-09-01' = {
  name: containerRegistryName
  location: location
  sku: {
    name: containerRegistrySku
  }
  properties: {
    adminUserEnabled: false
  }
}

resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
  name: containerAppName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    managedEnvironmentId: containerAppEnvironment.id
    configuration: {
      activeRevisionsMode: 'Single'
      secrets: []
      registries: [
        {
          server: containerRegistry.properties.loginServer
          identity: 'SystemAssigned'
        }
      ]
      ingress: {
        external: true
        targetPort: 7072
        transport: 'auto'
      }
    }
    template: {
      containers: [
        {
          name: 'image-name'
          image: '${containerRegistry.properties.loginServer}/${containerAppImageName}:${containerAppImageTag}'
          resources: {
            cpu: json(containerAppCpu)
            memory: containerAppMemory
          }
          env: []
        }
      ]
      scale: {
        minReplicas: containerAppMinReplicas
        maxReplicas: containerAppMaxReplicas
      }
    }
  }
}

resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(containerApp.id, 'acrpull')
  scope: containerRegistry
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleObjectId)
    principalId: containerApp.identity.principalId
  }
}
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
472 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.