stackoom
  简体   繁体   中英

Using Azure Web App for Containers with managed identity

 原文  2020-12-25 19:34:10       azure/ azure-web-app-service/ azure-appservice/ azure-web-app-for-containers

Question

Deployed an Azure App service for Containers with a custom image (from Centos 7 base image). Based on the following documentation There is an environment variable that should be set by Azure and used for creating the REST API request to obtain an access token:

  • IDENTITY_ENDPOINT - the URL to the local token service.

However, when checking inside the container, this variable is not set:

[root@f22dfd74be31 ~]# echo $IDENTITY_ENDPOINT
(empty result here)

I've also tried to invoke az cli, which fails as well:

[root@f22dfd74be31 ~]# az login -i
AzureConnectionError: Failed to connect to MSI. Please make sure MSI is configured correctly 
and check the network connection.
Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with 
url: /metadata/identity/oauth2/token?resource=https%3
A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by 
NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9e0c4
c72e8>: Failed to establish a new connection: [Errno 110] Connection timed out',))

I've successfully used managed identity with both Virtual machines and App Service (code deployment not containers), is it supported with App Service for containers, with custom containers?

2 answers

solution1
 2 ACCPTED  2020-12-28 17:57:58

When working with App service for containers the "platform" environment variables, including managed identity and app settings are only available when the container is initialized. In order to make these variables accessible from the container, the following line must be incorporated in the container startup script (called from Dockerfile ENTRYPOINT):

eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)

solution2
 0  2020-12-28 01:47:04

It should support MSI, make sure you enable the MSI like below.

在此处输入图像描述

Besides, step 4 in this doc also mentions the CLI command to enable MSI.

az webapp identity assign --resource-group AppSvc-DockerTutorial-rg --name <app-name> --query principalId --output tsv

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure Web App for Containers managed identity and non-web applications Azure Managed Service Identity endpoint missing in App Service for Containers Using Azure Managed Identity for app deployed to Azure? Azure Managed Service Identity option disabled on Linux Web app service Azure Key Vault with Managed Service Identity on self Hosted Web App Creating resource groups from Azure Web App Managed Service Identity Authenticate from Azure Logic app to Azure Function using Managed Identity App service to app service auth in Azure using Managed Identity Stuck with azure function app in python using managed identity Using Azure managed identity for App Service not authorising for new SDK
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM