How can I use a SystemAssigned identity when pulling an image from Azure Container Registry into Azure Container Instances?

Question

I want to create a container (or container group) in Azure Container Instances, pulling the image(s) from Azure Container Registry - but with using a SystemAssigned identity. With that I want to avoid using ACR login credentials, a service principal or a UserAssigned identity.

When I run this script (Azure CLI in PowerShell) ...

$LOC = "westeurope"
$RG = "myresourcegroup"
$ACRNAME = "myacr"

az configure --defaults location=$LOC group=$RG

$acr = az acr show -n $ACRNAME -o json | ConvertFrom-Json -Depth 10

az container create --name app1 --image $($acr.loginServer+"/app1") `
    --assign-identity --role acrpull --scope $acr.id `
    --debug

... ACI does not seem to recognize that it should be already authorized for ACR and shows this prompt:

Image registry username:

Azure CLI version: 2.14.0

Does this make sense? Is the ACI managed identity supported for ACR?

Answer 1

In your code, when you create an Azure container with a managed identity that is being created at the ACI creating time to authenticate to ACR. I am afraid that you can not do that because there are limitations

You can't use a managed identity to pull an image from Azure Container Registry when creating a container group. The identity is only available within a running container.

Answer 2

From Jan 2022 on managed identity is supported on Azure Container Instance to access Azure Container Registry: https://docs.microsoft.com/en-us/azure/container-instances/using-azure-container-registry-mi

Answer 3

@minus_one -solution do not work in my case. Runbook to make container registry. It does need more priviledges than stated in here... https://github.com/Azure/azure-powershell/issues/3215

Answer 4

This solution will not use managed identity, and it is important to note that we will need owner role at least on the resource group level.

The main idea is to use service principals to get the access using the acrpull role. See the following PowerShell script:

$resourceGroup = (az group show --name $resourceGroupName | ConvertFrom-Json )

$containerRegistry = (az acr show --name $containerRegistryName | ConvertFrom-Json)

$servicePrincipal = (az ad sp create-for-rbac `
    --name "${containerRegistryName}.azurecr.io" `
    --scopes $containerRegistry.id `
    --role acrpull `
    | ConvertFrom-Json )

az container create `
    --name $containerInstanceName `
    --resource-group $resourceGroupName `
    --image $containerImage `
    --command-line "tail -f /dev/null" `
    --registry-login-server "${containerRegistryName}.azurecr.io" `
    --registry-username $servicePrincipal.appId `
    --registry-password $servicePrincipal.password    

Please note that we have created a service principal, so we also need to remove that:

az ad sp delete --id $servicePrincipal.appId

There is a documentation on how to do that:

Deploy to Azure Container Instances from Azure Container Registry

Update:

I think the --registry-login-server ${containerRegistryName}.azurecr.io" option was missing.