Can't get Docker Container username and password from ContainersRegistry

[tom-murnane]

First off, very new to azure. We've created a container registry in its own resource group to house a couple of Docker images of a couple of simple web apps. I can't for the life of me get the creds within the bicep file. The admin user is enabled and If I put in the hard-coded username and one of the passwords, everything works fine.

I've tried the following:

resource acr 'Microsoft.ContainerRegistry/registries@2020-11-01-preview' existing = {
  name: containerRegistryName
  scope: resourceGroup(containerResourceGroup)
}

resource WebSite 'Microsoft.Web/sites@2018-11-01' = {
  name: siteName
  location: location
  kind: 'app,container,windows'
  properties: {
    enabled: true
    hostNameSslStates: [
      {
        name: '${siteName}.azurewebsites.net'
        sslState: 'Disabled'
        hostType: 'Standard'
      }
      {
        name: '${siteName}.scm.azurewebsites.net'
        sslState: 'Disabled'
        hostType: 'Repository'
      }
    ]
    serverFarmId: appServicePlanID
    siteConfig: {
      appSettings: [
        {
          name: 'DOCKER_ENABLE_CI'
          value: 'true'
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_URL'
          value: acr.properties.loginServer
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_USERNAME'
          value: acr.name
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_PASSWORD'
          value: listCredentials(acr.id, acr.apiVersion).passwords[0].value
        }
        {
          name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE'
          value: 'true'
        }
      ]
      windowsFxVersion: 'DOCKER|${containerRegistryName}.azurecr.io/${dockerImageName}:${dockerImageTag}'      
    }
  }
}

I'm running this in VS code in cmdline:

PS> az deployment sub create -f ./main.bicep -l eastus

and it throws the following error:
"code": "AccessToContainerRegistryDenied",
"message": "Access is denied."

I have the role of "owner", is there something I'm missing. There's a lot more going on with this deployment but as I said, I have to hardcode the password to get this website to work.

Regards,
T

[alex-frankel]

Can you confirm a few things:

1. the DOCKER_REGISTRY_SERVER_USERNAME is the same as the resource name itself (acr.name)
2. the value retrieved from listCredentials is the ones you are expecting. I'd recommend dumping the value out in a local deployment

...
output credentials object = acr.listCredentials() // this is a new way of calling list* functions that we just shipped

[tom-murnane]

Thanks for the reply, Alex. So yes, we have a separate resource group for containers and basically using the company name for the following: container name, registry name, and username.

If you read my first reply, I figured out how to output in main, I was thinking it was going to show in my output when dumping from the module. I needed to dump it from main.

Having said that...the credentials show the correct values for the username and passwords!

[tom-murnane]

Ok - this has really been driving me crazy. Whenever I try and use the listCredentials() within the Website resource to my Container Registry I get Access Denied.

When using

        {
          name: 'DOCKER_REGISTRY_SERVER_URL'          
          value: acr.properties.loginServer  --> throws "ContainerRegistryBaseUrl is invalid."
        }

then changing it to:

        {
          name: 'DOCKER_REGISTRY_SERVER_URL'          
          value: 'https://${containerRegistryName}.azurecr.io' --> no longer invalid URL
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_USERNAME'          
          value: acr.listCredentials().username --> Now throwing "Access Denied"
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_PASSWORD'          
          value: acr.listCredentials().passwords[0].value
        }

// Once I hardcode the Username and Password, these outputs output the same values:

output credentials object = acr.listCredentials()

output url string = acr.properties.loginServer
output uname string = acr.listCredentials().username
output password string = acr.listCredentials().passwords[0].value

Does it have anything to do with the API versions? Is there an issue trying to reference the acr in another ResourceGroup from the website? Have no idea. I gotta be doing something wrong.

Here are the outputs in the portal after hardcoding the username and password:

[brwilkinson]

I looked at your original configurations and they all look good to me.

I can confirm that I have this configuration that has the same settings as yours, which I can confirm works for me.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/73df5f8f1dfc32415ca6d5051512edb7348a52b6/ADF/bicep/AppServiceContainer.bicep#L116

I haven't updated to the new syntax as yet.

I guess you should update your web sites api to 'Microsoft.Web/sites@2021-01-01', since it looks like you are using an old version 'Microsoft.Web/sites@2018-11-01'

[tom-murnane]

Ok - so it appears the only way I could get this to work is if I created the params in my main.bicep and pass in the parameters to my deployWebsite.bicep. I know in my original question and follow up I had the wrong value for DOCKER_REGISTRY_SERVER_URL, I had it as 'acr.properties.loginServer', that needed to be 'https://${acr.properties.loginServer}' but I tried that too, and even if I only hardcoded the url, still got invalid access

// main.bicep

resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = {
  name: containerRegistryName
  scope: resourceGroup(containerResourceGroup)
}

module sd 'DeployWebSite.bicep' = [for image in DockerImages: {
  name: '${image.name}-deploysite'
  scope: rg
  params: {
    siteName: '${deploymentName}-${image.name}'
    containerRegistryName: containerRegistryName
    DockerImageName: image.name
    DockerImageTag: image.tag

    AppServicePlanID: asp.outputs.AppServicePlanID
    StorageAccountName: cs.outputs.storageAccountName
    FileShareName: cs.outputs.fileShareName

    acrUrl:acr.properties.loginServer
    acrPassword: acr.listCredentials().passwords[0].value
    acrUsername: acr.listCredentials().username
  }
}]

//---------------------------------------------------------------------------

//deployWebsite.bicep

      appSettings: [
        {
          name: 'DOCKER_REGISTRY_SERVER_URL'
          value: 'https://${acrUrl}'
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_USERNAME'
          value: acrUsername
        }
        {
          name: 'DOCKER_REGISTRY_SERVER_PASSWORD'
          value: acrPassword
        }
        {
          name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE'
          value: 'true'
        }
      ]

[alex-frankel]

@naveedaziz -- any idea why the credentials for this ACR reference only works when the username and password are passed in as secure values? Seems nothing else is different between the working code sample and the others.

[tom-murnane]

Let me know if there is anything else you would like from me.

If this matters -
Main has:

• targetScope = Subscription
• creates resourceGroup
• runs modules for vnet, storage, and websites all scoped to resourceGroup

[johnnyreilly]

I'm not sure this is totally what you're after, but you may find some useful pointers from @jamiemccrindle's post here: https://foldr.uk/azure-bicep-app-service-custom-container

[tom-murnane]

Thanks for sharing John, great stuff. If you look at my original issue and my resolution, it is pretty much just as you have it. I was trying to resolve the username/pw from the container registry from within my module but that didn't seem to work. Once I resolved them in main and passed them to the module it worked...that's what you have as well.
Regards,
Tom