Deploying Container App with Arm Template via Azure Devops: UNAUTHORIZED: authentication required
For the first time I am trying to deploy the container app.
I have a Azure Container Registry already deployed. I have set the permissions for the Azure Service Connection for ACR pull / push etcetera on subscription level.
First thing I do is building and pushing the image to the registry via Azure Devops pipeline. This works good. I also have the container app environment Second I am using an Arm template for creating the container app.
- task: AzureResourceManagerTemplateDeployment@3
displayName: "Create Container App"
inputs:
deploymentScope: 'Resource Group'
azureResourceManagerConnection: $(serviceConnection)
subscriptionId: '$(SubscriptionID)'
action: 'Create Or Update Resource Group'
resourceGroupName: '$(ResourceGroupName)'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Pipeline.Workspace)/drop/armtemplates/container_deployment.json'
csmParametersFile: '$(Pipeline.Workspace)/drop/armtemplates/container_parameters.json'
deploymentMode: 'Incremental'
continueOnError: false
The resource part of the template:
"resources": [
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2023-05-01",
"name": "[parameters('containerAppName')]",
"location": "[parameters('location')]",
"properties": {
"managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('containerAppEnvName'))]",
"configuration": {
"ingress": {
"external": true,
"targetPort": "[parameters('targetPort')]",
"allowInsecure": false,
"traffic": [
{
"latestRevision": true,
"weight": 100
}
]
}
},
"template": {
"revisionSuffix": "firstrevision",
"containers": [
{
"name": "[parameters('containerAppName')]",
"image": "[parameters('containerImage')]",
"resources": {
"cpu": "[json(parameters('cpuCore'))]",
"memory": "[format('{0}Gi', parameters('memorySize'))]"
}
}
],
"scale": {
"minReplicas": "[parameters('minReplicas')]",
"maxReplicas": "[parameters('maxReplicas')]"
}
}
}
}
]
}
Error details: The following field(s) are either invalid or missing. Field 'template.containers.NameContainerApp.image' is invalid with details: 'Invalid value: "containerregistryname.azurecr.io/todolistapp:latest": GET https:?scope=repository%3Atodolistapp%3Apull&service=containerregistryname.azurecr.io: UNAUTHORIZED: authentication required
What needs exactly the required authorization in this case?
In your template, you didn't provide credentials in the Container Apps configuration when you deploy images hosted on private registries.
Solution:
You can deploy images hosted on private registries by providing credentials in the Container Apps configuration.
You can define the registry in the registries array in the properties.configuration section of the container app resource template. The
passwordSecretReffield identifies the name of the secret in thesecretsarray name where you defined the password.
Steps:
Enable the admin user in the Access keys and you will get the password.
In the pipeline, set a secret variable named
secrets, the value is the password you get in the Access keys.
In your
container_deployment.json, add thesecretsandregistriesin properties configuration.
Sample resources part:
"resources": [
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2023-05-01",
"name": "[parameters('containerAppName')]",
"location": "[parameters('location')]",
"properties": {
"managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('containerAppEnvName'))]",
"configuration": {
"ingress": {
"external": true,
"targetPort": "[parameters('targetPort')]",
"allowInsecure": false,
"traffic": [
{
"latestRevision": true,
"weight": 100
}
]
},
"secrets": [
{
"name": "myregistrypassword",
"value": "[parameters('registry_password')]"
}
],
"registries": [
{
"server": "miao0909.azurecr.io",
"username": "miao0909",
"passwordSecretRef": "myregistrypassword"
}
],
"activeRevisionsMode": "Single"
},
"template": {
"revisionSuffix": "firstrevision",
"containers": [
{
"name": "[parameters('containerAppName')]",
"image": "[parameters('containerImage')]",
"resources": {
"cpu": "[json(parameters('cpuCore'))]",
"memory": "[format('{0}Gi', parameters('memorySize'))]"
}
}
],
"scale": {
"minReplicas": "[parameters('minReplicas')]",
"maxReplicas": "[parameters('maxReplicas')]"
}
}
}
}
]
- Override the
registry_passwordparameter withParameters: '-registry_password $(secrets)'in theAzureResourceManagerTemplateDeployment@3task.
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'ARM Template deployment: Resource Group scope'
inputs:
deploymentScope: 'Resource Group'
azureResourceManagerConnection: ''
subscriptionId: ''
action: 'Create Or Update Resource Group'
resourceGroupName: 'Default'
location: ''
templateLocation: 'Linked artifact'
csmFile: '$(Pipeline.Workspace)/drop/armtemplates/container_deployment.json'
csmParametersFile: '$(Pipeline.Workspace)/drop/armtemplates/container_parameters.json'
overrideParameters: '-registry_password $(secrets)'
deploymentMode: 'Incremental'
You can use an Azure managed identity to authenticate with Azure Container Registry instead of using a username and password. For more information, see Managed identities in Azure Container Apps.
To use managed identity with a registry, the identity must be enabled in the app and it must be assigned acrPull role in the registry. To configure the registry, use the managed identity resource ID for a user-assigned identity, or system for the system-assigned identity in the identity property of the registry. Don't configure a username and password when using managed identity.
Steps:
- Create a user-assigned identity
- Assign the ACR pull / push role to the user-assigned identity
- Add the managed identity resource ID in the identity property of the registry in the template.
Sample resources part:
"resources": [
{
"identity": {
"userAssignedIdentities": {
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Default/providers/Microsoft.ManagedIdentity/userAssignedIdentities/username": {}
},
"type": "UserAssigned"
},
"type": "Microsoft.App/containerApps",
"apiVersion": "2023-05-01",
"name": "[parameters('containerAppName')]",
"location": "[parameters('location')]",
"properties": {
"managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('containerAppEnvName'))]",
"configuration": {
"ingress": {
"external": true,
"targetPort": "[parameters('targetPort')]",
"allowInsecure": false,
"traffic": [
{
"latestRevision": true,
"weight": 100
}
]
},
"registries": [
{
"server": "miao0909.azurecr.io",
"identity": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Default/providers/Microsoft.ManagedIdentity/userAssignedIdentities/username"
}
],
"activeRevisionsMode": "Single"
},
"template": {
"revisionSuffix": "firstrevision",
"containers": [
{
"name": "[parameters('containerAppName')]",
"image": "[parameters('containerImage')]",
"resources": {
"cpu": "[json(parameters('cpuCore'))]",
"memory": "[format('{0}Gi', parameters('memorySize'))]"
}
}
],
"scale": {
"minReplicas": "[parameters('minReplicas')]",
"maxReplicas": "[parameters('maxReplicas')]"
}
}
}
}
]
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline