Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy from ACR to App Service should use MSI with ACRPull role #1685

Closed
berndverst opened this issue Feb 28, 2020 · 8 comments · Fixed by #2796
Closed

Deploy from ACR to App Service should use MSI with ACRPull role #1685

berndverst opened this issue Feb 28, 2020 · 8 comments · Fixed by #2796
Labels
enhancement fix released
Milestone
1.12.0

Comments

@berndverst
Copy link
Member

berndverst commented Feb 28, 2020
edited
Loading

Many users attempt to enable the admin mode on ACR. This is bad for security. At the same time, newly created ACR instances don't provide App Service with the necessary access for deployment, even via the VS Docker extension. Many users wrongly believe enabled admin mode is the only way out.

This is a feature request specific to the deployment from ACR to App Service / Web App which will allow making the deployment seamless.

  1. Retrieve Web App Managed Identity or Create (Assign) a new one of it does not exist
  2. Assign ACR Pull role to the system managed identity for the ACR in question.

References:
@berndverst berndverst mentioned this issue Feb 28, 2020
Closed
@berndverst berndverst changed the title Deploy from ACR to App Service should set up MSI with ACRPull role Deploy from ACR to App Service should use MSI with ACRPull role Feb 28, 2020
@dbreshears dbreshears added this to the 1.2.0 milestone Mar 3, 2020
@bwateratmsft bwateratmsft mentioned this issue Apr 1, 2020
Closed
@dbreshears dbreshears modified the milestones: 1.2.0, 1.3.0 Apr 14, 2020
@dbreshears dbreshears added the P2 label Apr 14, 2020
@bwateratmsft
Copy link
Collaborator

bwateratmsft commented May 26, 2020
edited
Loading

@berndverst I am not able to figure out how to get the app service to actually log in using the MSI.

I added you as an owner on the resource group ("bwater"). Here's what I did:

  1. Created ACR and put some images on it.
  2. Created web app, pointed at that registry. I cannot even create the web app without enabling admin mode, so I enabled it temporarily:
    image
  3. Web app gets created. Turn admin mode back off on the ACR.
  4. In the Config tab, it has DOCKER_SERVER_REGISTRY_URL, DOCKER_SERVER_REGISTRY_USERNAME, DOCKER_SERVER_REGISTRY_PASSWORD, and others. I removed username and password.
  5. Turn on system-assigned identity on the web app.
  6. Assign AcrPull role to said identity on the ACR.
  7. Open web app in browser, get error.
  8. Diagnostic logs say auth failure to registry.

It seems like Web App services aren't actually capable of authenticating to ACR with MSI? Is there some config that I must set in place of DOCKER_SERVER_REGISTRY_USERNAME, DOCKER_SERVER_REGISTRY_PASSWORD?

@berndverst
Copy link
Member Author

@bwateratmsft I agree with you. From the docs it sounds like it should be possible, but it isn't actually. Digging around internally it seems that the App Service Team does not actually support system assigned identity for accessing ACR.

I don't recall whether the App Service MSI page mentions this limitation, but if not that might be worthwhile calling out.

@bwateratmsft
Copy link
Collaborator

I'll file a doc bug about that, and link this to that one.

@bwateratmsft bwateratmsft mentioned this issue May 27, 2020
Closed
@bwateratmsft
Copy link
Collaborator

Opened MicrosoftDocs/azure-docs#55802.

@bwateratmsft
Copy link
Collaborator

We should reactivate this and do the necessary work if support is added in the future.

@bwateratmsft bwateratmsft removed this from the 1.3.0 milestone May 27, 2020
@bwateratmsft bwateratmsft mentioned this issue Jun 4, 2020
Closed
@bwateratmsft bwateratmsft mentioned this issue Jun 29, 2020
Closed
@vscodebot vscodebot bot locked and limited conversation to collaborators Jul 11, 2020
@BigMorty
Copy link
Member

BigMorty commented Nov 9, 2020

The AppSvc team has added the ability to use managed service identities to pull from ACR.

@BigMorty BigMorty reopened this Nov 9, 2020
@dbreshears dbreshears added this to the 1.9.0 milestone Nov 11, 2020
@dbreshears dbreshears modified the milestones: 1.9.0, 1.10.0 Nov 18, 2020
@dbreshears dbreshears modified the milestones: 1.10.0, 1.11.0 Dec 16, 2020
@dbreshears dbreshears modified the milestones: 1.10.0, 1.11.0 Jan 20, 2021
@dbreshears dbreshears modified the milestones: 1.11.0, 1.12.0 Mar 3, 2021
@bwateratmsft
Copy link
Collaborator

bwateratmsft commented Mar 17, 2021
edited
Loading

@BigMorty where did you hear that MSI is enabled for App Service accessing ACR? I still get this in the Portal:

image

From the docs: https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?pivots=container-linux#create-an-image

Important

Be sure to set the Admin User option to Enable when you create the container registry. You can also set it from the Access keys section of your registry page in the Azure portal. This setting is required for App Service access.

@bwateratmsft bwateratmsft self-assigned this Mar 18, 2021
@bwateratmsft bwateratmsft removed their assignment Mar 22, 2021
@bwateratmsft
Copy link
Collaborator

This change is now released with Docker extension version 1.12.0.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement fix released
Projects
None yet
Milestone
1.12.0
Development

Successfully merging a pull request may close this issue.

Use managed service identity for pulling from ACR microsoft/vscode-docker
4 participants
@BigMorty @dbreshears @berndverst @bwateratmsft