Azure WebApp not able to access keyvault secret to pull ACR Image

[siddthota]

Terraform (and AzureRM Provider) Version

• Terraform v0.11.7
• provider.azurerm v1.24.0
• provider.null v2.1.0
• provider.random v2.1.0

Debug Output

2019-06-17 16:06:20.651 ERROR - Pulling docker image registry.azurecr.io/myApp-webapp:latest failed: 2019-06-17 16:06:20.651 INFO - Pulling image from Docker hub: registry.azurecr.io/myApp-webapp:latest 2019-06-17 16:06:20.676 ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://registry.azurecr.io/v2/myApp-webapp/manifests/latest: unauthorized: authentication required"}

2019-06-17 16:06:20.687 ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)

Expected Behavior

To be able to pull image from KeyVault secret. I have set the ACR credentials to Keyvault and trying to access these secrets on Azure Webapp while pulling the image from ACR and getting the above error message.

Actual Behavior

I was able to retrieve the keys from Azure Powershell.

(Get-AzKeyVaultSecret -vaultName "myapp-kv-az" -name "myApp-pass-az-pass").SecretValueText

"Output - raw password stored on KV"

Steps to Reproduce

1. terraform apply

Terraform Script

App Service

module "my-ui-service-temp" {
  source                   = "app-service-noconn"
  location                 = "${local.location}"
  name                     = "webapp-temp"
  resource_group_name      = "${module.create-resource-group.name}"
  app_service_plan_id      = "${module.create-app-service-plan.id}"
  app_service_plan_name    = "${module.create-app-service-plan.name}"
  namespace                = "${local.namespace}-temp"
  dotnetframework_version  = "v4.0"
  java_version = "1.8"
  process_32bitworker      = "true"
  websockets_enabled       = "true"
  remote_debugging_enabled = "true"
  local_mysql_enabled      = "true"
  php_version              = "5.5"
  remote_debugging_version = "VS2017"
  tls_version              = "1.2"
  linuxfx_version          = "DOCKER|myregistry.azurecr.io/my-webapp:latest"
  //cors_allowed_origins = "*"

  //ip_address_restriction = "10.198.54.79"

  #ip_address_restriction = "198.203.177.177"
  default_documents      = [ "Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]

  http2_enabled = "false"
  scm_type      = "none"
  subnet_mask   = "255.255.255.255"

  app_settings {
    "DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
    "DOCKER_REGISTRY_SERVER_USERNAME" = "https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted"
    WEBSITES_ENABLE_APP_SERVICE_STORAGE = false
    WEBSITES_CONTAINER_START_TIME_LIMIT = 1200
    "CacheIsEnabled"           = "false"
    "AppZoneServiceUriBase"    = "https://app-dev-centralus.azurewebsites.net"
    "ErrorLogServiceUri"       = ""
    "ErrorLogServiceUriServer" = ""
    "ServiceBaseUri"           = "http://myapp.serviceurl.net"
    environment                = "stage"
  }

}

Key Vault Module

module "my-key-vault" {
  source                                          = "keyvault"
  name                                            = "${local.resourcename}"
  namespace                                       = "az"
  location                                        = "${local.location}"
  resource_group_name                             = "${module.create-resource-group.name}"
  tags                                            = { }
  sku_name                                        = "standard"
  enabled_for_deployment                          = "true"
  enabled_for_disk_encryption                     = "true"
  enabled_for_template_deployment                 = "true"
  global_tags                                     = "${var.global_tags}"

  # Permissions for self (i.e. the service principal that is creating the key_vault) - example of ALL privs
  access_policy_certificate_permissions           = ["get", "list", "update", "create", "import", "delete", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers"]
  access_policy_key_permissions                   = ["get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "wrapkey", "unwrapkey", "verify", "sign", "purge"]
  access_policy_secret_permissions                = ["get", "list", "set", "delete", "recover", "backup", "restore", "purge"]

}

module "create-key-vault-secret" {
  source                                          = "modules/keyvault-secrets"
  name                                            = "myacr-name"
  value                                           = "redacted"
  tags                                            = { }
  vault_uri                                       = "${module.create-key-vault.vault_uri}"
  content_type                                    = "text/plain"
  namespace                                       = "az"
  global_tags                                     = "${var.global_tags}"
}

module "create-key-vault-secret-pass" {
  source                                          = "modules/keyvault-secrets"
  name                                            = "myacr-pass"
  value                                           = "redacted"
  tags                                            = { }
  vault_uri                                       = "${module.create-key-vault.vault_uri}"
  content_type                                    = "text/plain"
  namespace                                       = "az-pass"
  global_tags                                     = "${var.global_tags}"
}

References

[siddthota]

Figured out a different way to solve it.

Now we are creating ACR/keyvault in the same file as App Service and using ${module.keyvalt.secret} and it works fine.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!