Unable to run Azure Web Service from a docker image in an Azure Registry

Question

question

CrestApps-8702 asked Apr 1, '22 AndriyBilous commented Apr 6, '22

Unable to run Azure Web Service from a docker image in an Azure Registry

I am trying to run a docker image in an Azure Web Service for Containers.

My Azure Web Service has two slots "production" and "staging" slot. In my "staging" slot, I navigated to "Identity" and added a "User assigned" identity. Then I navigated to the Container registry, under "Identity" tab, I also added a user assigned identity. Also, under "Access control (IAM)" tab, I assigned both AcrPull and AcrPush roles to the same user identity I added to the web server and the container.

My app fails to start up and I see this in the logs

ERROR - Pull image threw Exception: Input string was not in a correct format.
INFO  - Pulling image from Docker hub: privateregistry.azurecr.io/privateimage:152
ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://privateregistry.azurecr.io/v2/privateimage/manifests/152: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}

How can I fix this issue?

azure-webapps azure-container-registry

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-04-04T09:50:41.627Z

AndriyBilous answered Apr 4, '22 AndriyBilous edited Apr 4, '22

Hello @CrestApps-8702

Please check if managed identity is assigned to the web app deployment slot.

 az webapp identity show --name MyWebapp --resource-group MyResourceGroup --slot MySlot
 az webapp config container show --name MyWebapp --resource-group MyResourceGroup --slot MySlot

https://github.com/Azure/azure-powershell/issues/13109

Assign an identity to your WebApp Slot where ID_Name is the name of your UserIdentity which you can find in Enterprise Apps

 # Modify for your environment
 Identity_ARMID=$(az identity show -g $RG_Name -n $ID_Name --query id -o tsv)
 Webapp_Config=$(az webapp show -g $RG_Name -n $Web_Name --query id --output tsv)"/config/web"
 ClientID=$(az identity show -g $RG_Name -n $ID_Name --query clientId --output tsv)
    
 #Assign managed-identity to webapp
 az webapp identity assign -g $RG_Name -n $Web_Name --identities $Identity_ARMID --slot MySlot -o none
    
 #Configure WebApp to use the Manage Identity Credentials to perform docker pull operations
 az resource update --ids $Webapp_Config --set properties.acrUseManagedIdentityCreds=True -o none
 az resource update --ids $Webapp_Config --set properties.AcrUserManagedIdentityID=$ClientID -o none

Configure WebApp to pull image:tag from ACR

 # Modify for your environment
 ACR_URL=$(az acr show -g $RG_Name --n $ACR_Name --query privateregistry --output tsv)
 Image="privateimage:152"
 FX_Version="Docker|"$ACR_URL"/"$Image
    
 #Configure the ACR, Image and Tag to pull
 az resource update --ids $Webapp_Config --set properties.linuxFxVersion=$FX_Version -o none --force-string

https://github.com/Azure/app-service-linux-docs/blob/master/HowTo/use_user-assigned_managed_identities.md

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-04-04T15:40:56.75Z

CrestApps-8702 answered Apr 4, '22 AndriyBilous commented Apr 6, '22

Hi @AndriyBilous, for some reason I am unable to comment on your answer.

Thank you for the feedback! I added the identity using the GUI like this
1) go to the staging slot app
2) click on the "Identity" menu item on the left
3) click on "User assigned" tab
4) click "+ Add" searched for the identity name and added it

az webapp identity show --name MyWebapp --resource-group MyResourceGroup --slot MySlot

outputs

{
  "principalId": null,
  "tenantId": null,
  "type": "UserAssigned",
  "userAssignedIdentities": {
    "IdentityName": {
      "clientId": "ClientId",
      "principalId": "PrincipalId"
    }
  }
}

az webapp config container show --name MyWebapp --resource-group MyResourceGroup --slot MySlot

putputs

[
  {
    "name": "DOCKER_REGISTRY_SERVER_PASSWORD",
    "slotSetting": false,
    "value": null
  },
  {
    "name": "DOCKER_REGISTRY_SERVER_URL",
    "slotSetting": false,
    "value": "https://MyRegistryName.azurecr.io"
  },
  {
    "name": "DOCKER_REGISTRY_SERVER_USERNAME",
    "slotSetting": false,
    "value": "RegistreyUserName"
  },
  {
    "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
    "slotSetting": false,
    "value": "false"
  },
  {
    "name": "DOCKER_CUSTOM_IMAGE_NAME",
    "value": "DOCKER|reg.MyRegistryName.io/imageName:tagId"
  }
]

Not sure why DOCKER_REGISTRY_SERVER_PASSWORD has a null value where the GUI shows the valid value.

Anyway, I executed the commands to assign it via code, but still having the same problem

· 7

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndriyBilous · Apr 04 at 06:38 PM

Did you use above commands to use acrUseManagedIdentityCreds?

 identity_client_id=$(az identity show --resource-group MyResourceGroup --name UserIdentityName--query ClientId --output tsv)
 az resource update --resource-group MyResourceGroup --name MyWebAppName/config/web --set properties.acrUserManagedIdentityID=$identity_client_id --resource-type 'Microsoft.Web/sites/config'
 az resource update --resource-group MyResourceGroup --name MyWebAppName/config/web --set properties.acrUseManagedIdentityCreds=true --resource-type 'Microsoft.Web/sites/config'
 az webapp config set --resource-group MyResourceGroup --name MyWebAppName--linux-fx-version 'DOCKER|MyPrivateRegistry.azurecr.io/privatewebsite:lnx-v2'

https://azure.github.io/AppService/2021/07/03/Linux-container-from-ACR-with-private-endpoint.html

0 ·

CrestApps-8702 AndriyBilous · Apr 04 at 07:29 PM

@AndriyBilous I did but still not working. Not sure if the last steps are needed since I am deploying my image using Azure DevOps pipeline.

When I execute the command

az webapp config container show --name AppName --resource-group MyResourceGroupName--slot staging

I get null for the DOCKER_REGISTRY_SERVER_PASSWORD value but when I lookup that value in the Configuration I get the correct value. I am suspecting this to be the issue unless the command line convert the value to a null on purpose

0 ·

AndriyBilous CrestApps-8702 · Apr 04 at 07:34 PM

Yes, the last steps are not needed if you are using Azure DevOps pipeline.
By the way, does it work in default slot?

0 ·

Show more comments

AndriyBilous · Apr 05 at 12:55 PM

Access control is correct in ACR.

I tried to reproduce your issue and everything seems to be working for me.
Could you please login to https://resources.azure.com/ find your WebApp and check the settings I marked

 "linuxFxVersion": "DOCKER|MyAcrName.azurecr.io/nginx:latest",
 "acrUseManagedIdentityCreds": true,
 "acrUserManagedIdentityID": "MyUserIdentitiyClientIdId"

0 ·

image.png (140.1 KiB)

CrestApps-8702 AndriyBilous · Apr 05 at 03:07 PM

@AndriyBilous Yes all 3 settings have the correct value. The acrUserManagedIdentityID has the id of the identity "verified". linuxFxVersion has "DOCKER|MyRegistryNameInLowercase.azurecr.io/MyImageNameLowercase:156" and acrUseManagedIdentityCreds is set to true to both default and slot config.

0 ·

AndriyBilous CrestApps-8702 · Apr 06 at 04:25 AM

Could you please enable detailed logging on Azure ACR to see the login attempts and possible reasons
- Diagnostic settings
- Logs

Please also check if you are using correct UserIdentity in WeApp settings
Make sure that image that you are trying to pull exists in ACR and have the exact path you are using in WebApp

0 ·

image.png (66.7 KiB)

question