From d1d1148d90e61d02f3a9067b27493137dfe69fbf Mon Sep 17 00:00:00 2001 From: Jeff Martinez Date: Fri, 13 Sep 2024 14:52:29 -0700 Subject: [PATCH 1/3] adding xenon msi blog --- ...naged-Identity-using-Windows-containers.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 _posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md diff --git a/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md b/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md new file mode 100644 index 000000000..b1a5b648c --- /dev/null +++ b/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md @@ -0,0 +1,61 @@ +--- +title: "How to pull from ACR with Managed Identity using Windows containers" +author_name: "Jeff Martinez" +toc: true +toc_sticky: true +tags: + - dotnet + - windows containers +--- + +Managed identities offer a way to secure communications between Azure resources without having to manage any credentials. The following are the steps to enable system-assigned identity when pulling from Azure Container Registry (ACR) with the use of a Windows container application. + +### Prerequisites + +1. [Azure CLI version](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) ≥ 6.XX to configure your resources. If you don't want to install the Azure CLI locally, you can use the [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/get-started/classic?tabs=azurecli) +2. A containerized .NET web app published to Azure Container Registry + +### Assign an identity to your app + +Using the `az cli` commands below, assign the system-assigned identity to your application. You will need the following information: + +1. Resource group name: +2. Web app name: + +```powershell +az webapp create --resource-group --name --container-image-name myacr.azurecr.io/myimage:mytag --assign-identity [system] --acr-use-identity --acr-identity [system] +``` + +This command will return a json output that shows all your configuration settings. You will also notice the identity “type” is set to “SystemAssigned” in the returned output. + +Now that the identity is assigned, we can grab the principal and registry Id's to use in creating the role assignment. Run the following commands to query and store the necessary Id's: + +1. Principal identity Id + +```powershell +Principal_Id=$(az webapp identity show -g -p -n --query principalId --output tsv) +``` + +1. Registry resource Id + +```powershell +Registry_Id=$(az acr show -g -n --query id --output tsv) +``` + +### Create role assignment + +Once the Id's are queried and stored, you can create the role assignment to pull from ACR. + +Run the following command to create the role assignment: + +```powershell +az role assignment create --assignee --scope --role "AcrPull" +``` + +Once ran, the output will include a json of the identity parameters and their values. You can also check your enabled access in the Azure portal by going to the registry resource: + +1. Navigate to the Access control (IAM) blade on the left side +2. Click on the Role assignments tab +3. Search for your app name used in the previous cli commands + +You should see your app resource with a role of “AcrPull”. Now that this is set, you are ready to pull images from a container registry using System-assigned Managed Identity. From c3b47293a8afae726f84d19e4c3f7e0ae7731443 Mon Sep 17 00:00:00 2001 From: Jeff Martinez Date: Fri, 13 Sep 2024 16:32:05 -0700 Subject: [PATCH 2/3] update edits --- ...-Managed-Identity-using-Windows-containers.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md b/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md index b1a5b648c..706a5f4b0 100644 --- a/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md +++ b/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md @@ -8,19 +8,19 @@ tags: - windows containers --- -Managed identities offer a way to secure communications between Azure resources without having to manage any credentials. The following are the steps to enable system-assigned identity when pulling from Azure Container Registry (ACR) with the use of a Windows container application. +Managed identities offer a way to secure communications between Azure resources without having to manage any credentials. The following are the steps to enable **system-assigned** identity when pulling from Azure Container Registry (ACR) with the use of a Windows container application. ### Prerequisites -1. [Azure CLI version](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) ≥ 6.XX to configure your resources. If you don't want to install the Azure CLI locally, you can use the [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/get-started/classic?tabs=azurecli) +1. [Azure CLI version](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) (version 2.6.3 or above) to configure your resources. If you don't want to install the Azure CLI locally, you can use the [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/get-started/classic?tabs=azurecli) 2. A containerized .NET web app published to Azure Container Registry ### Assign an identity to your app -Using the `az cli` commands below, assign the system-assigned identity to your application. You will need the following information: +Using the `az` commands below, assign the system-assigned identity to your application. You will need the following information: -1. Resource group name: -2. Web app name: +1. Resource group name: "groupName" +2. Web app name: "appName" ```powershell az webapp create --resource-group --name --container-image-name myacr.azurecr.io/myimage:mytag --assign-identity [system] --acr-use-identity --acr-identity [system] @@ -30,13 +30,13 @@ This command will return a json output that shows all your configuration setting Now that the identity is assigned, we can grab the principal and registry Id's to use in creating the role assignment. Run the following commands to query and store the necessary Id's: -1. Principal identity Id +#### Principal identity Id ```powershell Principal_Id=$(az webapp identity show -g -p -n --query principalId --output tsv) ``` -1. Registry resource Id +#### Registry resource Id ```powershell Registry_Id=$(az acr show -g -n --query id --output tsv) @@ -49,7 +49,7 @@ Once the Id's are queried and stored, you can create the role assignment to pull Run the following command to create the role assignment: ```powershell -az role assignment create --assignee --scope --role "AcrPull" +az role assignment create --assignee $Principal_Id --scope $Registry_Id --role "AcrPull" ``` Once ran, the output will include a json of the identity parameters and their values. You can also check your enabled access in the Azure portal by going to the registry resource: From d16a4a82b3c9c13c506e98b6129f57bc9ce9fe2a Mon Sep 17 00:00:00 2001 From: Jeff Martinez Date: Tue, 17 Sep 2024 10:10:15 -0700 Subject: [PATCH 3/3] clarify registry settings --- ...l-from-ACR-with-Managed-Identity-using-Windows-containers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md b/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md index 706a5f4b0..7df6d7e36 100644 --- a/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md +++ b/_posts/2024-9-17-How-to-pull-from-ACR-with-Managed-Identity-using-Windows-containers.md @@ -26,7 +26,7 @@ Using the `az` commands below, assign the system-assigned identity to your appli az webapp create --resource-group --name --container-image-name myacr.azurecr.io/myimage:mytag --assign-identity [system] --acr-use-identity --acr-identity [system] ``` -This command will return a json output that shows all your configuration settings. You will also notice the identity “type” is set to “SystemAssigned” in the returned output. +This command will return a json output that shows all your configuration settings. You will also notice the identity “type” is set to “SystemAssigned” in the returned output. From here, you can also view your updated registry settings in the Azure portal Deployment Center of your Web App resource. Now that the identity is assigned, we can grab the principal and registry Id's to use in creating the role assignment. Run the following commands to query and store the necessary Id's: