search

microsoft / azure-container-apps

Roadmap and issues for Azure Container Apps
MIT License
360 stars 29 forks source link

When using system assigned identity, bicep deployment with acr pull fails #836

Open Markz878 opened 1 year ago

Markz878 commented 1 year ago

This issue is a: (mark with an x)

Issue description

When creating a Container app with Bicep from scratch, I want to create a container registry, the app environment, and the actual Container app. I would also like to use system assigned managed identity for the app. The problem is that unless I manually create the AcrPull role, the deployment fails with message "unable to pull image using Managed identity system for registry", even though the Bicep file contains the AcrPull role assignement. This manual step is obviously not gonna cut it.

The only workaround I have found was using a user-assigned identity, but that is extra resources in the resource group just for this issue.. I've seen similar 'chicken and egg' type of problems reported for other issues in ACA, could you please fix this too?

Steps to reproduce

  1. Create a resource group and a dummy web app with a Dockerfile, and an Infrastructure/main.bicep file with the contents given at the end.
  2. To first create the registry run az deployment group create --resource-group $RG_NAME --template-file Infrastructure/main.bicep (this is another chicken and egg problem, that the ACR needs to exist and an image pushed to it before a container app can be deployed, assuming one wants to keep all resources in 1 bicep file, any advice for this..?)
  3. Push the image to the registry (az acr login -n acrpulltestreg, docker build -t acrpulltestreg.azurecr.io/acrpulltestapp:latest -f ACRPullTest/Dockerfile . , docker push acrpulltestreg.azurecr.io/acrpulltestapp:latest)
  4. Run the bicep file again to do the app deployement

Expected behavior [What you expected to happen.] I would expect the app to be deployed using system-assigned identity acrpull role assignment.

Actual behavior [What actually happened.] The role assignment won't get created and the app can't be deployed because of that.

My bicep file looks like this:

param location string = resourceGroup().location
param registry_name string = 'acrpulltestreg'
param containerapp_environment_name string = 'acrpulltestacaenv'
param app_name string = 'acrpulltestapp'
param app_image string = 'acrpulltestreg.azurecr.io/acrpulltestapp:latest'

resource container_registry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
  name: registry_name
  location: location
  sku: {
    name: 'Basic'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      exportPolicy: {
        status: 'enabled'
      }
      azureADAuthenticationAsArmPolicy: {
        status: 'enabled'
      }
    }
    publicNetworkAccess: 'Enabled'
    networkRuleBypassOptions: 'AzureServices'
  }
}

resource containerapp_environment 'Microsoft.App/managedEnvironments@2022-11-01-preview' = {
  name: containerapp_environment_name
  location: location
  properties: {
    zoneRedundant: false
  }
}

resource frontendapp 'Microsoft.App/containerapps@2022-11-01-preview' = {
  name: app_name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    managedEnvironmentId: containerapp_environment.id
    environmentId: containerapp_environment.id
    configuration: {
      activeRevisionsMode: 'Single'
      ingress: {
        external: true
        targetPort: 80
        transport: 'Auto'
        allowInsecure: false
        traffic: [
          {
            weight: 100
            latestRevision: true
          }
        ]
      }
      registries: [
        {
          server: container_registry.properties.loginServer
          identity: 'system'
        }
      ]
    }
    template: {
      containers: [
        {
          name: app_name
          image: app_image
          resources: {
            cpu: json('0.5')
            memory: '1Gi'
          }
        }
      ]
      scale: {
        minReplicas: 1
        maxReplicas: 1
      }
    }
  }
}

resource frontend_acrpull_roleassignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(resourceGroup().id, frontendapp.id, acr_pull.id)
  scope: container_registry
  properties: {
    roleDefinitionId: acr_pull.id
    principalId: frontendapp.identity.principalId
    principalType: 'ServicePrincipal'
  }
}

resource acr_pull 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  scope: container_registry
  name: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
}
sowsan commented 10 months ago

+1 same issue, it seems the role assignment is not happening before container image pull. it is chicken/egg problem.

mcraiha commented 10 months ago

If someone in Microsoft is going to fix this, then also create a similar ticket for Azure Container Instances, since same issue also exists there. My current workaround is to do first deploy with placeholder public image (mcr.microsoft.com/azuredocs/aci-helloworld).

michaeldwood commented 7 months ago

If someone in Microsoft is going to fix this, then also create a similar ticket for Azure Container Instances, since same issue also exists there. My current workaround is to do first deploy with placeholder public image (mcr.microsoft.com/azuredocs/aci-helloworld).

Experiencing the same issue here. This does the job as a quick and dirty work around.

KarenTazayan commented 7 months ago

+1

EdiFirst commented 7 months ago

I'm facing this issue as well, guys please take a look on that.

JeromeBollinger commented 6 months ago

+1

mobini-sph commented 5 months ago

+1

tonnesen-ncqa commented 5 months ago

+1

kswidrak commented 4 months ago

Any responses from Microsoft? Maybe You should provide in the ARM bounded ACR for ACI and Container Apps?

sdg002 commented 1 month ago

Same problem here!

sdg002 commented 1 month ago

From my experiments, I can confirm that the only way for ACA to be able to pull in an image from ACR is as follows: Add the User Assigned Identity of ACA to the AcrPull RBAC role of ACR.

System identity does not work !

If I were to add the System assigned identity of ACA to AcrPull builtin RBAC role of ACR then the pull does not work.

Bicep template for Managed identity

param identityname string
resource acaManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: identityname
  location: location
  tags: resourceGroup().tags
}

Bicep template for ACA

Take note that I am adding both managed and system identity 

apps-dev-uks/providers/Microsoft.App/managedEnvironments/lala-environment')
resource lalaenvironment 'Microsoft.App/managedEnvironments@2024-03-01' = {
  name: name
  location: location
  tags: resourceGroup().tags
  identity: {
    type:'SystemAssigned, UserAssigned'
    userAssignedIdentities:{
      '${acaManagedIdentity.id}': {}
    }
  }

# skipped the rest of ACR for brevity

Bicep template for Role Assignment

param registryname string
param acaidentityname string

var acrPullId = '7f951dda-4ed3-4680-a7ca-43fe172d538d'

resource acaidentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: acaidentityname
  location:resourceGroup().location
}

resource roleAssignmentContainerEnvironmentManagedIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  scope: registryresource
  name: guid(resourceGroup().id,acaidentity.name,acrPullId)
  properties: {
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions',acrPullId)
    principalId: acaidentity.properties.principalId
    principalType: 'ServicePrincipal'
  }
}