Here's the setup:
Azure Container Registry
Service Fabric
VMSS with SystemAssigned identity (aka "Managed Service Identity" aka MSI)
VMSS identity given "Reader" role access to the Azure Container Registry
ApplicationManifest.xml
ServiceManifest.xml referencing a container in the registry
Cool.
Except service fabric can't launch instances of the app because it can't pull the container from the registry. When I RDP into a VM and pull, it tells me "authentication required"
I understand that I can add <RepositoryCredentials …> into my ApplicationManifest.xml. With my password. To the container admin account. Which seems "bad", even if encrypted. Definitely less convenient than having MSI working.
Working locally, MSI works fine after a couple little az acr commands.
Can it all be wrapped up somehow in the ApplicationManifest/ServiceManifest.xml files, so that MSI is honored when pulling from Azure Container Registry?
Related
I have created a asp.net API that accesses KeyVault to get secrets.
When I run locally on my laptop, I use Managed Identity to access KeyVault with a dedicated Service Princiapl. (with AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID set in my system
environment variables).
This is working just fine.
Now I have created a VM in Azure to be used as a developer machine. All the tools are installed and configured like they are on my laptop.
But when I run the web API I get a 403 telling me the object ID #### does not have Get/List access to KeyVault.
I've checked and the object ID matches the one of the VM. Indeed the VM does not have this access to KeyVault, however I'd expect the Web API to run with the configured AZURE_CLIENT_ID in my environment variables.
Am I missing something ?
Ensure get/list operations are selected/enabled in the access policy created for your managed identity/service principal:
I have successfully created a docker image that runs inside a docker container. The container successfully executes the image (a .NET app) but the image crashes shortly after startup because it encounters an error with Azure Services. The reason is because the docker container is attempting to access Azure Services to fetch an authorization token (to fetch secrets from a key vault) and does not have authority to do so.
I should note that it is possible to run the app locally outside of a container via the Azure CLI after using az login to verify my credentials. Then, when the app is started via Azure CLI, it is 'allowed' to access Azure Services to get autho tokens and consequentially fetch data from my key vault.
Would like to know if there is a way to run an az login script with credentials inside a docker container before the .NET app image executes, so that I can start the application from within the Azure CLI (inside the container) after my credentials have been verified. I have looked through the documentation and have not seen a way to configure something like this.
To use the Azure CLI and login inside the container, you need to install the Azure CLI inside the container, then login with an non-interactive model. I would recommend the service principal. You can take a look at the command:
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
For more details, see Create an Azure service principal with Azure CLI. After login, then you can start your application as need.
Here are 2 options which don't require Azure CLI in the container, Azure Managed Identity from within a docker container running locally,
inject an access token into the container using ENV variable
use device authentication flow to obtain an access token
I read this answers a while ago. I was looking for the similar solution but using the service principal. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which can do work for me, but it doesn't work for Docker Kubernetes. I forked their Go repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.
You can get detailed instructions how to get things running here: https://github.com/Wallsmedia/aad-pod-identity
Azure CLI would not work for a Docker, because you have setup Azure CLI and login and then run your application.
I want to use a Azure Container Registry of a different account in a Build pipeline in Azure DevOps.
When I try to add a Docker Registry Service Connection and select Azure Container Registry, it only lets me choose between the subscription of the current account.
When I try to add the Azure Resource Manager of the Subscription of a different account which contains the Azure Container Registry in the Service Connections, it says it cannot find any Azure Container Registry.
So how do I accomplish this?
I have the same situation in which the Azure Container Registry (ACR) is in a different Azure AD from the Azure DevOps build pipelines.
I'll outline the steps I used:
Create an app registration in the Azure AD where the ACR exists.
Give it a name like myregistry-app
Go to the myregistry-app Certificates and secrets page and create a new secret. Copy the value as you cannot retrieve it later.
Also copy the myregistry-app application id. You can find it on the overview screen.
Now go to the ACR Access Control (IAM) screen for your container registry.
Add a role assignment and assign the myregistry-app identity the Contributor role.
Back in your build pipeline create a Docker task and click on the New button under the Container Registry section.
In the popup dialog Add a Docker Registry service connection choose the Others radio button.
Put in the URL to your ACR which you can find on the container registry overview page.
Use the application id for myregistry-app as the Docker ID.
Use the myregistry-app secret for the password.
This is currently working for me. There may be a better way
we are having two different Azure subscriptions and tenant ids. one for development env and other for a production environment. as a CI-CD pipeline, we are building docker images and pushed these images to ACR in dev subscription.
we want to reuse docker images available in dev subscription ACR when running k8s cluster in prod environment.
as per my understanding, we can not reuse ACR from different subscription and tenant id. only possible solution is to have atleast same tenant id.
do we have any way by which we can reuse these docker images.
why not, you just need to auth to acr and then you can pull images from that ACR. you wont be able to use Azure connection for that, but you can use docker connection for that (in both kubernetes and azure devops).
From ACR pov, it's supported. Say you create an Service Principal SP1 in tenant1/sub1, and assign AcrPull role to it for registry1 in tenant1/sub1. SP1 now can access registry1. You can then assign the same SP1 the AcrPull role for registry2 in another tenant tenant2/sub2 (this essentially makes SP1 a guest service principal in tenant2); now SP1 can also pull from registry2.
As long as an SP is given permission to pull from a registry, you can use the SP as user/pwd to access the registry from anywhere. Can you elaborate what is not working?
I am using Azure CLI 2.0 and I am trying to create Azure Container Service type Kurbenetes, with this command (I already created resource group)
az acs create --orchestrator-type=kubernetes --resource-group=mi-shared-docker-test --dns-prefix=kube --name=mishareddocker
I am getting this error
waiting for AAD role to propagate..........Could not create a service
principal with the right permissions. Are you an Owner on this
project?
I can create any vms, webapps etc, but why am I receiving this issue ?
Well, the error states it pretty clearly, you don't have the right permissions, you should read on the ACS\Kubernetes guide.
I understand you are using AZ, not azure, but the idea is the same, you should have enough permissions and a service principal to deploy Kubernetes on Azure.
You need to look specifically at this link.
There's an typo in your command, orchestrator=type should be orchestrator-type (dash instead of equals)