Skip to content

Latest commit

 

History

History
35 lines (30 loc) · 2.56 KB

service_principal_auth_acr.md

File metadata and controls

35 lines (30 loc) · 2.56 KB

Today Web App for Containers requires ACR admin account for authentication with the registry. For organization desires to disable ACR admin account, the workaround is to create an ACR service principal with acrpull role and use it in App Service “Container settings” for authenticating with ACR. Limitations apply.

Create ACR Service Principal

Create an ACR service principal using the following script. Make sure to replace registry name with your own info, make sure to use acrpull role with the lowest privilege. Keep the Service principal ID and Service principal password for the next step. More details at: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal

# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<ACR Registry>

# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query "password" --output tsv)
SP_APP_ID=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv)

# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"

Configure Web App for Containers

For App Service, configure your Web App for Containers to use the Service principal to authenticate with ACR. Use the following CLI command:

az webapp config container set --name <app_name> --resource-group myResourceGroup --docker-custom-image-name <azure-container-registry-name>.azurecr.io/mydockerimage --docker-registry-server-url https://<azure-container-registry-name>.azurecr.io --docker-registry-server-user <service principal ID> --docker-registry-server-password <service principal password>

Test your web app

Check if the web app is running and updated to the new image from ACR. Note: as the UX integration is not yet in place, you can only use CLI command to configure the container settings until we have the complete UX for using service principal and/or MSI to authenticate with ACR.