0

I have an azure app service that pulls an image from azure ACR and fire up the image to run the application.

I would like the action that the app service pulling the image from ACR by service principle. My question is which resource should I assign the service principal to? The ACR or the web service?

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
SLN
  • 4,772
  • 2
  • 38
  • 79

2 Answers2

1

Use a managed identity on the app service to provision a service principal for the App Service on the back end. You can then use RBAC to allow the app service plan identity to access the ACR.

This shows how to do it with a VM but it applies to any azure service that supports MI

Josh
  • 4,009
  • 2
  • 31
  • 46
  • thanks a lot for helping. this is a nice without using service principle. I will try to implement it by Terraform. – SLN Oct 16 '20 at 08:31
1

My question is which resource should I assign the service principle to? The ACR or the web service?

The short answer is the ACR. Actually, the correct understanding is that the service principal should have the permission to pull images from ACR, so you need to assign the permission of the ACR to the service principal.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • @Charlex But how can I only let the app service to pull the image? Is adding service principle with pull permission to ACR allows all resource to pull from it? – SLN Oct 15 '20 at 07:37
  • @SLN You can treat the service principal as an account, use the account you have the permission to pull images from the ACR. This is not restricted to certain resources. – Charles Xu Oct 15 '20 at 07:56
  • @SLN Any more updates for the question? Does it solve your problem? – Charles Xu Oct 16 '20 at 06:01