Open Markz878 opened 1 year ago
+1 same issue, it seems the role assignment is not happening before container image pull. it is chicken/egg problem.
If someone in Microsoft is going to fix this, then also create a similar ticket for Azure Container Instances, since same issue also exists there. My current workaround is to do first deploy with placeholder public image (mcr.microsoft.com/azuredocs/aci-helloworld
).
If someone in Microsoft is going to fix this, then also create a similar ticket for Azure Container Instances, since same issue also exists there. My current workaround is to do first deploy with placeholder public image (
mcr.microsoft.com/azuredocs/aci-helloworld
).
Experiencing the same issue here. This does the job as a quick and dirty work around.
+1
I'm facing this issue as well, guys please take a look on that.
+1
+1
+1
Any responses from Microsoft? Maybe You should provide in the ARM bounded ACR for ACI and Container Apps?
Same problem here!
From my experiments, I can confirm that the only way for ACA to be able to pull in an image from ACR is as follows: Add the User Assigned Identity of ACA to the AcrPull RBAC role of ACR.
If I were to add the System assigned identity of ACA to AcrPull builtin RBAC role of ACR then the pull does not work.
param identityname string
resource acaManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: identityname
location: location
tags: resourceGroup().tags
}
Take note that I am adding both managed and system identity
apps-dev-uks/providers/Microsoft.App/managedEnvironments/lala-environment')
resource lalaenvironment 'Microsoft.App/managedEnvironments@2024-03-01' = {
name: name
location: location
tags: resourceGroup().tags
identity: {
type:'SystemAssigned, UserAssigned'
userAssignedIdentities:{
'${acaManagedIdentity.id}': {}
}
}
# skipped the rest of ACR for brevity
param registryname string
param acaidentityname string
var acrPullId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
resource acaidentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: acaidentityname
location:resourceGroup().location
}
resource roleAssignmentContainerEnvironmentManagedIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
scope: registryresource
name: guid(resourceGroup().id,acaidentity.name,acrPullId)
properties: {
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions',acrPullId)
principalId: acaidentity.properties.principalId
principalType: 'ServicePrincipal'
}
}
This issue is a: (mark with an x)
Issue description
When creating a Container app with Bicep from scratch, I want to create a container registry, the app environment, and the actual Container app. I would also like to use system assigned managed identity for the app. The problem is that unless I manually create the AcrPull role, the deployment fails with message "unable to pull image using Managed identity system for registry", even though the Bicep file contains the AcrPull role assignement. This manual step is obviously not gonna cut it.
The only workaround I have found was using a user-assigned identity, but that is extra resources in the resource group just for this issue.. I've seen similar 'chicken and egg' type of problems reported for other issues in ACA, could you please fix this too?
Steps to reproduce
Expected behavior [What you expected to happen.] I would expect the app to be deployed using system-assigned identity acrpull role assignment.
Actual behavior [What actually happened.] The role assignment won't get created and the app can't be deployed because of that.
My bicep file looks like this: