App Service docs should point out that managed service identity is not supported for ACR

[bwateratmsft]

This document indicates that system-assigned managed service identities can be used to interact with ACRs, and this one indicates that App Service can use system-assigned managed service identities.

Both of these things are true, however, you cannot combine them--App Service cannot use MSI to talk to an ACR. The only way is to enable admin on the ACR and use the admin username/password.

More info here: microsoft/vscode-docker#1685 (comment)

I'm not sure which would be the right page to call it out on--I'd guess the first one (the ACR docs on MSI).

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 726adac9-1848-01a6-9586-842c81f820f7
• Version Independent ID: 249db438-8c95-8e69-f69e-8e48fcd0b359
• Content: Azure Services that support managed identities - Azure AD
• Content Source: articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
• Service: active-directory
• Sub-service: msi
• GitHub Login: @MARKUSVI
• Microsoft Alias: markvi

[karolz-ms]

The only way is to enable admin on the ACR and use the admin username/password.

One should be able to create an AAD service principal and use SP id/password to give App Service access to the ACR.

(not disputing that lack of MSI support in this scenario is not a shame, just that enabling admin account on ACR is not the only way to go, and probably not the best)

[barclayn]

#reassign:barclayn

[amanmcse]

Added the information to https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity#example-2-access-with-a-system-assigned-identity

[TroyWitthoeft]

I am landing here from the ACR quickstart docs. Users following the doc will encounter an error when trying to deploy a docker image from VSCode into an Azure App Service.

Azure App service currently only supports running images from Azure Container Registries with admin enabled

This AppService-MSI-ACR incompatibility it unfortunate, as the upstream docs are now asking users to enable admin user on the ACR as a fix.

That's not the best security posture for folks getting started with ACR. As @karolz-ms pointed out in this thread earlier... it seems like we've got a more secure alternative using service principals, but the use of SPs hasn't really been discussed or examples provided in the context of that quickstart guide. Of course, doing the dev work to make AppService, MSI, and ACR play nice is best... but in the interim ... In order to NOT encourage folks to enable ACR admin, is there anyone available to help update the ACR quickstart docs with a link or example for setting up SPs? Is it even possible? Or are we stuck quickstarting into a bad security posture?

[bwateratmsft]

Unfortunately, App Service simply doesn't support the ability to auth to ACR using service principles (even though ACR does support being auth'd to by service principles). The App Service team needs to do the work to support this. I absolutely agree that this is not an ideal security practice so I'd like to see it fixed as well.

[TroyWitthoeft]

@bwateratmsft Oof, bummer. Alright, it sounds like it is potential work for the app service team. Appreciate the quick response.