Can't seem to deploy a container from an ACR outside of the sub with credentials

[joshfreitas1984]

Hi,

We have an ACR in a totally different subscription to the ACA environment. For example

Subscription: Shared Services RG: rg-sharedservices ACR: acrsharedservices.azurecr.io

Subscription: MyApplication RG: rg-myapp Env: aca-myenv-myapp ImageToDeply: acrsharedservices.azurecr.io/mycompany.myapp:1.0

This is because a couple of reasons:

• You look for the acr inside the sub passed in for the ACA when
• We cant use ACR username and ACR password without acrname because it tries to login to undefined.azureacr.io
• We cant set the env variable of CA_ADO_TASK_ACR_ACCESS_TOKEN with the key without a login failure

Here's the various combos we've tried:

- task: AzureContainerAppsRC@0
    displayName: "Deploying Container"
    env:
      CA_ADO_TASK_ACR_ACCESS_TOKEN: "{{parameters.acrAccessKey}}"
    inputs:
      azureSubscription: "${{parameters.appServiceConnectionName}}"
      acrName: "${{parameters.acrName}}"
      # acrUsername: "${{parameters.acrUserName}}"
      # acrPassword: "${{parameters.acrAccessKey}}"
      containerAppName: "${{parameters.containerAppName}}"
      containerAppEnvironment: "${{parameters.containerAppEnvironment}}"
      imageToDeploy: "${{parameters.acrName}}.azurecr.io/${{parameters.containerName}}:${{parameters.containerTag}}"
      targetPort: "443"

[StandBackBurrito]

Did you ever find a work around for this?

[cormacpayne]

@joshfreitas1984 @StandBackBurrito Hey folks, apologies for the delayed response -- from previous testing, the Azure CLI commands we're using under-the-hood to deploy the Container App don't currently support providing an ACR instance from a subscription outside of the one that your current subscription has context to. However, in the Azure Portal, you're able to define an "external registry" to use that can be this separate ACR instance that you want to use. We're working with the CLI team to enable this functionality in the corresponding commands so that we can integrate them with our task, and I'll keep you all posted on any updates we may have.

[phcbarros]

I had to replace this task with the az containerapp create command from AZ CLI. The up command cannot pull the Docker image from another Azure Container Registry (ACR) in a different subscription, even though Azure Container Apps (CA) has acrPull permission.

Here the issue

You need give the permission (acrPull) before.

- task: AzureCLI@2
   displayName: create container app
   inputs:
     azureSubscription: my_connection
     scriptType: bash
     scriptLocation: inlineScript
     inlineScript: |
        #!/bin/bash
        az config set extension.use_dynamic_install=yes_without_prompt

        az containerapp create -n container-name -g resource-group-name \
          --image myacr.azurecr.io/my-image:my-tag \
          --ingress external --target-port 3000 --environment ca-environment \
          --registry-server myacr.azurecr.io --registry-username acr-username --registry-password acr-password