Unable to run Azure Web Service from a docker image in an Azure Registry

CrestApps 21 Reputation points
2022-04-01T23:18:27.953+00:00

I am trying to run a docker image in an Azure Web Service for Containers.

My Azure Web Service has two slots "production" and "staging" slot. In my "staging" slot, I navigated to "Identity" and added a "User assigned" identity. Then I navigated to the Container registry, under "Identity" tab, I also added a user assigned identity. Also, under "Access control (IAM)" tab, I assigned both AcrPull and AcrPush roles to the same user identity I added to the web server and the container.

My app fails to start up and I see this in the logs

ERROR - Pull image threw Exception: Input string was not in a correct format.
INFO  - Pulling image from Docker hub: privateregistry.azurecr.io/privateimage:152
ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://privateregistry.azurecr.io/v2/privateimage/manifests/152: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}

How can I fix this issue?

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
415 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,175 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andriy Bilous 11,011 Reputation points MVP
    2022-04-04T09:50:41.627+00:00

    Hello @CrestApps

    Please check if managed identity is assigned to the web app deployment slot.

    az webapp identity show --name MyWebapp --resource-group MyResourceGroup --slot MySlot  
    az webapp config container show --name MyWebapp --resource-group MyResourceGroup --slot MySlot  
    

    https://github.com/Azure/azure-powershell/issues/13109

    Assign an identity to your WebApp Slot where ID_Name is the name of your UserIdentity which you can find in Enterprise Apps

    # Modify for your environment  
    Identity_ARMID=$(az identity show -g $RG_Name -n $ID_Name --query id -o tsv)  
    Webapp_Config=$(az webapp show -g $RG_Name -n $Web_Name --query id --output tsv)"/config/web"  
    ClientID=$(az identity show -g $RG_Name -n $ID_Name --query clientId --output tsv)  
      
    #Assign managed-identity to webapp  
    az webapp identity assign -g $RG_Name -n $Web_Name --identities $Identity_ARMID --slot MySlot -o none  
      
    #Configure WebApp to use the Manage Identity Credentials to perform docker pull operations  
    az resource update --ids $Webapp_Config --set properties.acrUseManagedIdentityCreds=True -o none  
    az resource update --ids $Webapp_Config --set properties.AcrUserManagedIdentityID=$ClientID -o none  
    

    Configure WebApp to pull image:tag from ACR

    # Modify for your environment  
    ACR_URL=$(az acr show -g $RG_Name --n $ACR_Name --query privateregistry --output tsv)  
    Image="privateimage:152"  
    FX_Version="Docker|"$ACR_URL"/"$Image  
      
    #Configure the ACR, Image and Tag to pull  
    az resource update --ids $Webapp_Config --set properties.linuxFxVersion=$FX_Version -o none --force-string  
    

    https://github.com/Azure/app-service-linux-docs/blob/master/HowTo/use_user-assigned_managed_identities.md

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. CrestApps 21 Reputation points
    2022-04-04T15:40:56.75+00:00

    Hi @Andriy Bilous , for some reason I am unable to comment on your answer.

    Thank you for the feedback! I added the identity using the GUI like this

    1. go to the staging slot app
    2. click on the "Identity" menu item on the left
    3. click on "User assigned" tab
    4. click "+ Add" searched for the identity name and added it

    az webapp identity show --name MyWebapp --resource-group MyResourceGroup --slot MySlot

    outputs

       {  
         "principalId": null,  
         "tenantId": null,  
         "type": "UserAssigned",  
         "userAssignedIdentities": {  
           "IdentityName": {  
             "clientId": "ClientId",  
             "principalId": "PrincipalId"  
           }  
         }  
       }  
    

    az webapp config container show --name MyWebapp --resource-group MyResourceGroup --slot MySlot

    putputs

       [  
         {  
           "name": "DOCKER_REGISTRY_SERVER_PASSWORD",  
           "slotSetting": false,  
           "value": null  
         },  
         {  
           "name": "DOCKER_REGISTRY_SERVER_URL",  
           "slotSetting": false,  
           "value": "https://MyRegistryName.azurecr.io"  
         },  
         {  
           "name": "DOCKER_REGISTRY_SERVER_USERNAME",  
           "slotSetting": false,  
           "value": "RegistreyUserName"  
         },  
         {  
           "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",  
           "slotSetting": false,  
           "value": "false"  
         },  
         {  
           "name": "DOCKER_CUSTOM_IMAGE_NAME",  
           "value": "DOCKER|reg.MyRegistryName.io/imageName:tagId"  
         }  
       ]  
    

    Not sure why DOCKER_REGISTRY_SERVER_PASSWORD has a null value where the GUI shows the valid value.

    Anyway, I executed the commands to assign it via code, but still having the same problem


  2. Johan Runsten 0 Reputation points
    2023-04-03T19:03:11.09+00:00

    See the updated commands for setting your web app to use user managed identity against acr here: https://learn.microsoft.com/en-us/azure/app-service/configure-custom-container?tabs=debian&pivots=container-linux#use-managed-identity-to-pull-image-from-azure-container-registry

    Namely, webapp config instead of resource update.

    0 comments No comments