1

Here's the setup:

  • Azure Container Registry
  • Service Fabric
    • VMSS with SystemAssigned identity (aka "Managed Service Identity" aka MSI)
    • VMSS identity given "Reader" role access to the Azure Container Registry
  • ApplicationManifest.xml
    • ServiceManifest.xml referencing a container in the registry

Cool.

Except service fabric can't launch instances of the app because it can't pull the container from the registry. When I RDP into a VM and pull, it tells me "authentication required"

I understand that I can add <RepositoryCredentials …> into my ApplicationManifest.xml. With my password. To the container admin account. Which seems "bad", even if encrypted. Definitely less convenient than having MSI working.

Working locally, MSI works fine after a couple little az acr commands.

Can it all be wrapped up somehow in the ApplicationManifest/ServiceManifest.xml files, so that MSI is honored when pulling from Azure Container Registry?

Josh
  • 2,958
  • 3
  • 16
  • 27
  • AFAIK, I don't think you can, at least not as an official approach, You can try running the az acr commands as a SetupEntryPoint to authenticate and then omit the credentials on App manifest to use the cached credentials. Not sure it will work, but is how you should do without SF. – Diego Mendes Oct 29 '18 at 16:24

0 Answers0