Azure Container Registry in Azure Web App for Containers across subscriptions

Asked 21/1, 2020 at 23:51 Answered 5/1, 2021 at 16:32

Solved azure docker azure-container-registry azure-web-app-for-containers

I'm currently trying to set up an Azure Web App for Containers, linking it to a Azure Container Registry that lives inside a different subscription. That's why my initial thought was to use the Private Registrytab inside the Web apps Container Settings to enter the credentials of said Registry.

However when I save and reload the page the settings of the Azure Container Registry tab are now populated and the Private Registry tab is empty. The issue is, that I get now get following error:

2020-01-21 21:51:12.951 ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for cliswebapi, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}

I assume because no password was stored. How do I configure this properly?

Fogy answered 21/1, 2020 at 23:51 Comment(0)

While you use the private registry, the Azure Container Registry is also a private registry, and deploy to Web App for Containers, you need to set the environment variables here:

DOCKER_REGISTRY_SERVER_USERNAME - The username for the ACR server.
DOCKER_REGISTRY_SERVER_URL - The full URL to the ACR server. (For example, https://my-server.azurecr.io.)
DOCKER_REGISTRY_SERVER_PASSWORD - The password for the ACR server.

See more details in If you're using Azure Container Registry, you need to set some app settings.

And if you create multiple containers, all the images must be in the same registry. All in Docker Hub or Azure Container Registry. See more details in All images must use the same registry.

Update:

With the message that you deploy the Web App using the image in the ACR in a different subscription. It seems it's a bug in Web App and you can see the issue in the Github. And the suggestion is that maybe you can use the service principal for the ACR to authenticate and the steps here.

Chaffee answered 22/1, 2020 at 1:36 Comment(13)

It seems these values get auto-populated when I enter them through the Private Registry tab. Still, getting the same error. Do I need to do anything on the Container Registry besides enableing the admin user? – Fogy 22/1, 2020 at 8:38

@Fogy Do you use the service principal to authenticate if you do not enable the admin user? And do you deploy it in the portal? – Chaffee 22/1, 2020 at 8:40

@Fogy Id you do not use the service principal, I will say yes, you need to enable the admin user to provide the username and password to the Web App. – Chaffee 22/1, 2020 at 9:3

I'm not using a service principal and I have admin enabled, but still seeing this issue. – Fogy 22/1, 2020 at 10:2

@Fogy Do you redeploy your image after enabling the admin user? And do you use a single image or multiple images? And do you check if the value of the environment variables in my answer is the same with your ACR? – Chaffee 23/1, 2020 at 1:2

I enabled the admin user when creating the ACR. It's just a single image which I tried to redeploy using a newer build / tag. I also checked that the values in the config are correct. – Fogy 23/1, 2020 at 8:39

@Fogy How do you deploy the image into Web App? In the ACR and deploy it? – Chaffee 23/1, 2020 at 8:44

I deploy it from Azure DevOps into ACR and then wanted to manually get it in the Web App from ACR. Btw. I recreated the ARC instance inside the same subscription and it works immediately. Still, I need to be able to do this across subs. – Fogy 23/1, 2020 at 8:49

@Fogy Not sure, but it seems it's a bug here in GitHub. Maybe you can use the service principal to authenticate, the steps here. – Chaffee 23/1, 2020 at 9:6

That's exactly what I'm experiencing. I'll keen an eye out for this to be resolved. Thanks for your help! – Fogy 23/1, 2020 at 9:15

@Fogy Well, if you do not mind, please accept the answer. – Chaffee 23/1, 2020 at 9:30

Please add the links to the bug & workaround to your answer since that's the important part. :) – Fogy 23/1, 2020 at 9:52

@Fogy Update the answer with the link. – Chaffee 24/1, 2020 at 1:6

I have spend some time on this issue and figured it out. Here is my solution:

Assuming we are having two subscriptions, let's call them SUB-A and SUB-B, where we are having an Azure Container Registry in SUB-A (called azurebluedev in my example).

Now we'd like to create an App Service in SUB-B that pulls its image of our container registry by using the admin username.

It's critical that you use the correct format under Image and tag in the docker blade when creating the app service. It must follow the format url/image:tag (without https) otherwise you will run into the described problem. I was using image:tag format beforehand which didn't work.

This worked for me!

Agrippina answered 5/1, 2021 at 16:32 Comment(1)

This solved my issue, which was just a 404 NotFound error rather than an authentication error. – Ashcroft 15/5, 2023 at 16:36

Recommended topics

Hot tags