Open knobel-dk opened 4 months ago
In the YAML you provided above, you didn't enable the system assigned managed identity. You should use something like this in your YAML:
identity:
type: SystemAssigned
For more detail, please refer to here.
This is the problem in the YAML spec:
identity:
type: None
It should be:
identity:
type: SystemAssigned
I will check tomorrow. Thank you
I did as adviced and am still getting ERROR: (InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'configuration.secrets' is invalid with details: 'Invalid value: "statamickey": Unable to get value using Managed identity system for secret statamickey. Error: unable to fetch secret 'statamickey' using Managed identity 'system'';.
Here is the output from az containerapp create -n $appName -g $resourceGroup --yaml [YAML_ABOVE]
{
"id": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/YYYYYYYYYYYY/providers/Microsoft.App/containerapps/yyyyyyyyyyyyy",
"identity": {
"principalId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"tenantId": "***",
"type": "SystemAssigned"
},
"location": "North Europe",
"name": "yyyyyyyyyyyyy",
"properties": {
"configuration": {
"activeRevisionsMode": "Single",
"dapr": null,
"ingress": {
"additionalPortMappings": null,
"allowInsecure": false,
"clientCertificateMode": null,
"corsPolicy": null,
"customDomains": null,
"exposedPort": 0,
"external": true,
"fqdn": "yyyyyyyyyyyyy.somename-804dbc47.northeurope.azurecontainerapps.io",
"ipSecurityRestrictions": null,
"stickySessions": null,
"targetPort": 80,
"traffic": [
{
"latestRevision": true,
"weight": 100
}
],
"transport": "Auto"
},
"maxInactiveRevisions": 100,
"registries": [
{
"identity": "",
"passwordSecretRef": "ZZZZZZZZZZZZZZZZZZZZZZZZZ",
"server": "zzzzzzzzzzzzzzzz.azurecr.io",
"username": "zzzzzzzzzzzzzzzz"
}
],
"secrets": [
{
"name": "secretpassword"
},
{
"name": "ZZZZZZZZZZZZZZZZZZZZZZZZZ"
}
],
"service": null
},
"customDomainVerificationId": "abcdabcdabcdabcdabcd",
"delegatedIdentities": [],
"environmentId": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/YYYYYYYYYYYY/providers/Microsoft.App/managedEnvironments/container-apps-env-yyyyyyyyyyyyy",
"eventStreamEndpoint": "https://northeurope.azurecontainerapps.dev/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/YYYYYYYYYYYY/containerApps/yyyyyyyyyyyyy/eventstream",
"latestReadyRevisionName": "yyyyyyyyyyyyy--9156474657",
"latestRevisionFqdn": "yyyyyyyyyyyyy--9156474657.somename-804dbc47.northeurope.azurecontainerapps.io",
"latestRevisionName": "yyyyyyyyyyyyy--9156474657",
"managedEnvironmentId": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/YYYYYYYYYYYY/providers/Microsoft.App/managedEnvironments/container-apps-env-yyyyyyyyyyyyy",
"outboundIpAddresses": [
"SOME.IP.xxx.yyy",
"SOME.IP.xxx.yyy",
"SOME.IP.xxx.yyy",
"...."
],
"provisioningState": "Succeeded",
"runningStatus": "Running",
"template": {
"containers": [
{
"image": "zzzzzzzzzzzzzzzz.azurecr.io/yyyyyyyyyyyyy:latest",
"name": "yyyyyyyyyyyyy",
"probes": [
{
"httpGet": {
"path": "/",
"port": 80,
"scheme": "HTTP"
},
"initialDelaySeconds": 60,
"periodSeconds": 10,
"type": "Liveness"
}
],
"resources": {
"cpu": 0.25,
"ephemeralStorage": "1Gi",
"memory": "0.5Gi"
}
}
],
"initContainers": null,
"revisionSuffix": "",
"scale": {
"maxReplicas": 2,
"minReplicas": 1,
"rules": [
{
"custom": {
"metadata": {
"type": "Utilization",
"value": "60"
},
"type": "cpu"
},
"name": "cpu-over-sixty"
}
]
},
"serviceBinds": null,
"terminationGracePeriodSeconds": null,
"volumes": []
},
"workloadProfileName": "Consumption"
},
"resourceGroup": "docs-datapult-dk",
"systemData": {
"createdAt": "2024-05-20T07:11:21.0834188",
"createdBy": "***",
"createdByType": "Application",
"lastModifiedAt": "2024-05-20T12:18:45.7886352",
"lastModifiedBy": "***",
"lastModifiedByType": "Application"
},
"type": "Microsoft.App/containerApps"
}
Hi @knobel-dk From the error message, it seems the system assigned identity don't have the permission to your key vault. Please note, you might need multiple steps to do this, since the system assigned identity is created with container app. You need to create a dummy app first to get the object id the system assigned identity.
This issue is a: (mark with an x)
Issue description
I followed your guide here but I get an error, see below.
I specifically set it to
system
given this link.See that it is enabled on the Container App:
And that the role is attached:
Steps to reproduce
az containerapp create -n $appName -g $resourceGroup --yaml [YAML_BELOW]
Expected behavior [What you expected to happen.] I expect the service to be created
Actual behavior [What actually happened.]
ERROR: (InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'configuration.secrets' is invalid with details: 'Invalid value: "secretlicensekey": Unable to get value using Managed identity system for secret secretlicensekey. Error: managed Identity with resource Id system was not found when trying to get secret secretlicensekey from Azure Key Vault';.
Additional context
Using azure-cli 2.60.0
The YAML file: