Deploy from ACR to App Service should use MSI with ACRPull role

[berndverst]

Many users attempt to enable the admin mode on ACR. This is bad for security. At the same time, newly created ACR instances don't provide App Service with the necessary access for deployment, even via the VS Docker extension. Many users wrongly believe enabled admin mode is the only way out.

This is a feature request specific to the deployment from ACR to App Service / Web App which will allow making the deployment seamless.

1. Retrieve Web App Managed Identity or Create (Assign) a new one of it does not exist
2. Assign ACR Pull role to the system managed identity for the ACR in question.

References:

• App Service Managed Service Identity
• How to use Managed Service Identities with ACR

[bwateratmsft]

@berndverst I am not able to figure out how to get the app service to actually log in using the MSI.

I added you as an owner on the resource group ("bwater"). Here's what I did:

1. Created ACR and put some images on it.
2. Created web app, pointed at that registry. I cannot even create the web app without enabling admin mode, so I enabled it temporarily:
   
3. Web app gets created. Turn admin mode back off on the ACR.
4. In the Config tab, it has DOCKER_SERVER_REGISTRY_URL, DOCKER_SERVER_REGISTRY_USERNAME, DOCKER_SERVER_REGISTRY_PASSWORD, and others. I removed username and password.
5. Turn on system-assigned identity on the web app.
6. Assign AcrPull role to said identity on the ACR.
7. Open web app in browser, get error.
8. Diagnostic logs say auth failure to registry.

It seems like Web App services aren't actually capable of authenticating to ACR with MSI? Is there some config that I must set in place of DOCKER_SERVER_REGISTRY_USERNAME, DOCKER_SERVER_REGISTRY_PASSWORD?

[berndverst]

@bwateratmsft I agree with you. From the docs it sounds like it should be possible, but it isn't actually. Digging around internally it seems that the App Service Team does not actually support system assigned identity for accessing ACR.

I don't recall whether the App Service MSI page mentions this limitation, but if not that might be worthwhile calling out.

[bwateratmsft]

I'll file a doc bug about that, and link this to that one.

[bwateratmsft]

Opened https://github.com/MicrosoftDocs/azure-docs/issues/55802.