az containerapp update --yaml does not support container registry specification using managed identity authentication
maskati opened this issue ยท 12 comments
This issue is a: (mark with an x)
- bug report -> please search issues before submitting
- documentation issue or request
- regression (a behavior that used to work and stopped in a new release)
Issue description
Performing az containerapp update --yaml using version 0.3.16 of the CLI extension fails when specifying registry authentication using a managed identity.
Steps to reproduce
Performing az containerapp update --yaml --debug using version 0.3.16 of the CLI extension and the following YAML, which includes identity: system:
type: Microsoft.App/containerApps
properties:
configuration:
registries:
- server: myacr.azurecr.io
identity: system
template:
containers:
- image: myacr.azurecr.io/myimage:latestresults in the following debug output:
az_command_data_logger: extension name: containerapp
az_command_data_logger: extension version: 0.3.16
...
cli.azure.cli.core.util: Request URL: 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xxx/providers/Microsoft.App/containerApps/xxx?api-version=2022-06-01-preview'
cli.azure.cli.core.util: Request method: 'PATCH'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: {"properties": {"configuration": {"registries": [{"server": "myacr.azurecr.io"}]}, "template": {"containers": [{"image": "myacr.azurecr.io/myimage:latest"}], "revisionSuffix": null}}
...
cli.azure.cli.core.util: {"error":{"code":"ContainerAppRegistriesPasswordSecretRefNotFound","message":"PasswordSecretRef '' defined for registry server 'myacr.azurecr.io' not found."},"code":"ContainerAppRegistriesPasswordSecretRefNotFound","message":"PasswordSecretRef '' defined for registry server 'myacr.azurecr.io' not found."}
The result is a ContainerAppRegistriesPasswordSecretRefNotFound error. This is because the performed PATCH to the container app contains the following body, where the registry spec is missing identity:
{
"properties": {
"configuration": {
"registries": [
{
"server": "myacr.azurecr.io"
}
]
},
"template": {
"containers": [
{
"image": "myacr.azurecr.io/myimage:latest"
}
],
"revisionSuffix": null
}
}
}This is probably because the CLI extension RegistryCredentials model does not include identity (only server, username and passwordSecretRef). Setting registry identity using az containerapp registry set --identity works because identity is handled directly and is not dependent on the SDK model as is the case with YAML based specification.
Expected behavior
It should be possible to specify registry authentication using identity when updating a container app using Azure CLI extension and a YAML specification.
Actual behavior
YAML based registry specification using identity fails with ContainerAppRegistriesPasswordSecretRefNotFound.
Sorry about this. We've filed a bug internally to investigate.
(work item 16454602)
Hello, do you have an ETA for the fix?
I'm experiencing the same issue but while attempting to use a full user-assigned identity Resource ID.
running into this same issue, would like to use this
Hello is that issue solved already, or is there a workaround?
@Valkozaur my workaround was not to use yaml since it seems to lag significantly behind the resource provider feature set.
As I have set the ManagedIdentity while deploying my resource with bicep I decided to give it a try.
The Managed Identity is on my container app and when I try to deploy using az containerapp update I get this error message:
Field 'template.containers.imageName.image' is invalid with details: 'Invalid value: "registryName.azurecr.io/imageName:latest": unable to pull image using Managed identity /subscriptions/38fc3cdc-3333-4444-5555-0674ac9a1234/resourcegroups/resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/managedIdentityName for registry registryName.azurecr.io'
Somehow it recognizes that it must use the Managed Identity, but it throws an error.
I am using bicep with user-assigned identity assigned AcrPull and it is working.
I am using bicep with user-assigned identity assigned
AcrPulland it is working.
can you send me an example?
I am using bicep with user-assigned identity assigned
AcrPulland it is working.
So you are using az bicep group create and then a bicep file that only contains the Container App definition ?
Somthing along the lines of this ๐
@description('Name of the Container App Environment')
param containerAppEnvName string
@description('Name of the Resource Group containing the Container App Environment')
param resourceGroupName string
@description('Name of the Container App')
param containerAppName string
@description('Docker image to deploy')
param image string
@description('Port exposed by the container')
param containerPort int = 80
@description('CPU units for the container')
param cpu int = 500
@description('Memory size for the container')
param memory string = '1.0Gi'
resource containerAppEnv 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
name: containerAppEnvName
scope: resourceGroup(resourceGroupName)
}
resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
name: containerAppName
location: resourceGroup().location
properties: {
managedEnvironmentId: containerAppEnv.id
configuration: {
ingress: {
external: true
targetPort: containerPort
transport: 'auto'
allowInsecure: false
}
}
template: {
containers: [
{
name: containerAppName
image: image
resources: {
cpu: cpu
memory: memory
}
}
]
}
}
}
@description('Output the full resource ID of the container app')
output containerAppId string = containerApp.idObviously a bit of a drawback tha twe cant just rely on a yaml file that's easely translatable from/to kubernetes, but if it works.
!!! Disclamer, i have not actually tried this my self, i was looking for the "right" way to deploy Container Apps before i launched into some elaborate setup. Also with the new features of Azure Resource Manager it might make more sense to use az stack group create.