Azure Web App for Containers: Pulling a Container Image from ACR Without Exposing Credentials

Published 06-07-2021 12:00 AM 1,302 Views
Microsoft

 

Hello dear readers! My name is Daniel Ribeiro and I am a Customer Engineer working with Microsoft Mission Critical Team (SfMC).

 

The Problem 

A customer of mine recently reported that when deploying a container using the Azure Web App, the Azure Container Registry (ACR) credentials were exposed in the environment variables of the web app.  

Take a look at the image below! As we can see, the ACR user and password are stored as environment variables.  

 

daribei_5-1622830917040.png

 

But then you can think: just enable managed identity for the web app, grant permissions on the ACR and remove the credentials from the variables! 

It makes perfect sense, however, currently, Azure Web App for Containers can't use their managed identity to authenticate with Azure Container Registry when pulling a container image to deploy the container resource itself. 

 

The Solution

To solve this issue and prevent ACR credentials from being exposed in Web App variables, we created a Service Principal (SP), assigned SP to ACR and stored SP credentials in Azure Key Vault. 

 

How to set up Web App to use SP during authentication in ACR? 

  1. Create a Service Principal:  
    az ad sp create-for-rbac --name AppServicePullACR 

    NOTE: The command above returns a Client ID and Secret, save both of them.

  2. Give Web App identity (Service Principal) access to pull from ACR: 
    az role assignment create --assignee $ServicePrincipalClientID --scope
    /subscriptions/$YourSubID/resourceGroups/$RegistryResourceGroup/providers/Microsoft.ContainerRegistry
    /registries/$RegistryName --role "AcrPull" 
  3. Save SP credentials on Azure Key Vault: 
    1. Create a key vault by following the Key Vault quickstart. 
    2. Create a system-assigned managed identity for your web app. 

    3. Create an access policy in Key Vault for the application identity you created earlier.
    4. Enable the "Get" secret permission on this policy. 
    5. Save Service Principal password (secret) in the Key Vault as a Secret. 
  4. Change the variable "DOCKER_REGISTRY_SERVER_PASSWORD" on the Web App and point to the Key Vault using the following syntax:   
    KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)
    Also change the variable "DOCKER_REGISTRY_SERVER_USERNAME" and point to the Service Principal Client ID. daribei_4-1622830766630.png

     

  5. Disable the Admin account on Azure Container Registry: 
    az acr update -n <acrName> --admin-enabled false 

 

Conclusion 

As we saw in this article, managed identity to pull images from ACR is not yet available for Azure App Services, so using Service Principal can help increase the security of the environment and avoid exposing credentials in the web app variables. 

Thank you for reading! I hope this can be useful. 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

2 Comments
Occasional Visitor

@daribei- Could you let me know the importance of disabling the admin account on ACR. Because other than that point, I tried all the remaining steps last month and my containerized web app not showed any images list in dropdown upon ACR selection from dropdown.

Microsoft

@cnooney, admin account is required only for some scenarios, for example: deploy a container through Azure Portal. 

In a production environment you can use some other authentication strategy, for example: service principal. 

Admin Account is recommended for testing purposes only. 

%3CLINGO-SUB%20id%3D%22lingo-sub-2435249%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Web%20App%20for%20Containers%3A%20Pulling%20a%20Container%20Image%20from%20ACR%20Without%20Exposing%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2435249%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F511882%22%20target%3D%22_blank%22%3E%40daribei%3C%2FA%3E-%20Could%20you%20let%20me%20know%20the%20importance%20of%20disabling%20the%20admin%20account%20on%20ACR.%20Because%20other%20than%20that%20point%2C%20I%20tried%20all%20the%20remaining%20steps%20last%20month%20and%20my%20containerized%20web%20app%20not%20showed%20any%20images%20list%20in%20dropdown%20upon%20ACR%20selection%20from%20dropdown.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2417418%22%20slang%3D%22en-US%22%3EAzure%20Web%20App%20for%20Containers%3A%20Pulling%20a%20Container%20Image%20from%20ACR%20Without%20Exposing%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2417418%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHello%20dear%20readers!%20My%20name%20is%20Daniel%20Ribeiro%20and%20I%20am%20a%20Customer%20Engineer%20working%20with%20Microsoft%20Mission%20Critical%20Team%20(SfMC).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--441219365%22%20id%3D%22toc-hId--441219337%22%20id%3D%22toc-hId--441219337%22%20id%3D%22toc-hId--441939309%22%3E%3CSPAN%20class%3D%22EOP%20SCXW103772344%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW212907098%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW212907098%20BCX8%22%3EThe%20Problem%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW212907098%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EA%20customer%20of%20mine%20recently%20reported%20that%20when%20deploying%20a%20container%20using%20the%20Azure%20Web%20App%2C%20the%20Azure%20Container%20Registry%20(ACR)%20credentials%20were%20exposed%20in%20the%20environment%20variables%20of%20the%20web%20app.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETake%20a%20look%20at%20the%20image%20below!%20As%20we%20can%20see%2C%20the%20ACR%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Euser%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Epassword%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bare%20stored%20as%20environment%20variables.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22daribei_5-1622830917040.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286345iBA00558BE2D7F90B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22daribei_5-1622830917040.png%22%20alt%3D%22daribei_5-1622830917040.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBut%20then%20you%20can%20think%3A%20just%20enable%20managed%20identity%20for%20the%20web%20app%2C%20grant%20permissions%20on%20the%20ACR%20and%20remove%20the%20credentials%20from%20the%20variables!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIt%20makes%20perfect%20sense%2C%20however%2C%20currently%2C%20Azure%20Web%20App%20for%20Containers%20can't%20use%20their%20managed%20identity%20to%20authenticate%20with%20Azure%20Container%20Registry%20when%20pulling%20a%20container%20image%20to%20deploy%20the%20container%20resource%20itself.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2046293468%22%20id%3D%22toc-hId-2046293496%22%20id%3D%22toc-hId-2046293496%22%20id%3D%22toc-hId-2045573524%22%3EThe%20Solution%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW11250554%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW11250554%20BCX8%22%3ETo%20solve%20this%20issue%20and%20prevent%20ACR%20credentials%20from%20being%20exposed%20in%20Web%20App%20variables%2C%20we%20created%20a%20Service%20Principal%20(SP)%2C%20assigned%20SP%20to%20ACR%20and%20stored%20SP%20credentials%20in%20Azure%20Key%20Vault.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW21023075%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW21023075%20BCX8%22%3EHow%20to%20set%20up%20Web%20App%20to%20use%20SP%20during%20authentication%20in%20ACR%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW252924817%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW252924817%20BCX8%22%3ECreate%20a%20Service%20Principal%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Eaz%20ad%20sp%20create-for-rbac%20--name%20AppServicePullACR%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW23958850%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW23958850%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW61676155%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW61676155%20BCX8%22%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW61676155%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW61676155%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EThe%20command%20above%20returns%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW61676155%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW61676155%20BCX8%22%3EClient%20ID%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW61676155%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW61676155%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW61676155%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW61676155%20BCX8%22%3ESecret%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW61676155%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW61676155%20BCX8%22%3E%2C%20save%20both%20of%20them.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW23958850%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW23958850%20BCX8%22%3EGive%20Web%20App%20identity%20(Service%20Principal)%20access%20to%20pull%20from%20ACR%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW23958850%20BCX8%22%3E%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Eaz%20role%20assignment%20create%20--assignee%20%24ServicePrincipalClientID%20--scope%0A%2Fsubscriptions%2F%24YourSubID%2FresourceGroups%2F%24RegistryResourceGroup%2Fproviders%2FMicrosoft.ContainerRegistry%0A%2Fregistries%2F%24RegistryName%20--role%20%22AcrPull%22%20%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW186356862%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW186356862%20BCX8%22%3ESave%20SP%20credentials%20on%20Azure%20Key%20Vault%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW186356862%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3COL%20class%3D%22lia-list-style-type-lower-alpha%22%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW186356862%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW176078560%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW176078560%20BCX8%22%3ECreate%20a%20key%20vault%20by%20following%20the%20Key%20Vault%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW176078560%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fkey-vault%2Fsecrets%2Fquick-create-cli%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW176078560%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW176078560%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Equickstart%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW176078560%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW176078560%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW176078560%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CP%20class%3D%22Paragraph%20SCXW9128544%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW9128544%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW9128544%20BCX8%22%3ECreate%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW9128544%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fapp-service%2Foverview-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW9128544%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW9128544%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Esystem-assigned%20managed%20identity%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW9128544%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW9128544%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20your%20web%20app.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW9128544%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW9128544%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW212094458%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW212094458%20BCX8%22%3ECreate%20an%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW212094458%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fgeneral%2Fassign-access-policy-portal%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW212094458%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW212094458%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Eaccess%20policy%20in%20Key%20Vault%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW212094458%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW212094458%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20the%20application%20identity%20you%20created%20earlier.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW9128544%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW212094458%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW170578692%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW170578692%20BCX8%22%3EEnable%20the%20%22Get%22%20secret%20permission%20on%20this%20policy.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW170578692%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW9128544%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW212094458%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22EOP%20SCXW170578692%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW231468930%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW231468930%20BCX8%22%3ESave%20Service%20Principal%20password%20(secret)%20in%20the%20Key%20Vault%20as%20a%20Secret.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW231468930%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW186356862%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW192100888%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW192100888%22%3EChange%20the%20variable%20%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW192100888%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW192100888%22%3EDOCKER_REGISTRY_SERVER_PASSWORD%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW192100888%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW192100888%22%3E%22%20on%20the%20Web%20App%20and%20point%20to%20the%20Key%20Vault%20using%20the%20following%20syntax%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-html%22%3E%3CCODE%3EKeyVault(SecretUri%3Dhttps%3A%2F%2Fmyvault.vault.azure.net%2Fsecrets%2Fmysecret%2F)%3C%2FCODE%3E%3C%2FPRE%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW186356862%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW192100888%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW192100888%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW221220049%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW221220049%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW173820623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW173820623%20BCX8%22%3EAlso%20change%20the%20variable%20%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW173820623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW173820623%20BCX8%22%3EDOCKER_REGISTRY_SERVER_USERNAME%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW173820623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW173820623%20BCX8%22%3E%22%20and%20point%20to%20the%20%3CSTRONG%3EService%20Principal%20Client%20ID%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW186356862%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW192100888%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW192100888%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW221220049%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW221220049%20BCX8%22%3E%3CSPAN%20class%3D%22EOP%20SCXW173820623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22daribei_4-1622830766630.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286344iD3E252AAB7B8DA8D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22daribei_4-1622830766630.png%22%20alt%3D%22daribei_4-1622830766630.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22EOP%20SCXW11250554%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW21023075%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW252924817%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW23958850%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW186356862%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW192100888%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW192100888%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW221220049%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW221220049%20BCX8%22%3EDisable%20the%20Admin%20account%20on%20Azure%20Container%20Registry%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW221220049%20BCX8%22%3E%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW221220049%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Eaz%20acr%20update%20-n%20%3CACRNAME%3E%20--admin-enabled%20false%20%3C%2FACRNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-238839005%22%20id%3D%22toc-hId-238839033%22%20id%3D%22toc-hId-238839033%22%20id%3D%22toc-hId-238119061%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EConclusion%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20we%20saw%20in%20this%20article%2C%20managed%20identity%20to%20pull%20images%20from%20ACR%20is%20not%20yet%20available%20for%20Azure%20App%20Services%2C%20so%20using%20Service%20Principal%20can%20help%20increase%20the%20security%20of%20the%20environment%20and%20avoid%20exposing%20credentials%20in%20the%20web%20app%20variables.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThank%20you%20for%26nbsp%3Breading!%26nbsp%3BI%20hope%20this%20can%20be%20useful.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EDisclaimer%0AThe%20sample%20scripts%20are%20not%20supported%20under%20any%20Microsoft%20standard%20support%20program%20or%20service.%20The%20sample%20scripts%20are%20provided%20AS%20IS%20without%20warranty%20of%20any%20kind.%20Microsoft%20further%20disclaims%20all%20implied%20warranties%20including%2C%20without%20limitation%2C%20any%20implied%20warranties%20of%20merchantability%20or%20of%20fitness%20for%20a%20particular%20purpose.%20The%20entire%20risk%20arising%20out%20of%20the%20use%20or%20performance%20of%20the%20sample%20scripts%20and%20documentation%20remains%20with%20you.%20In%20no%20event%20shall%20Microsoft%2C%20its%20authors%2C%20or%20anyone%20else%20involved%20in%20the%20creation%2C%20production%2C%20or%20delivery%20of%20the%20scripts%20be%20liable%20for%20any%20damages%20whatsoever%20(including%2C%20without%20limitation%2C%20damages%20for%20loss%20of%20business%20profits%2C%20business%20interruption%2C%20loss%20of%20business%20information%2C%20or%20other%20pecuniary%20loss)%20arising%20out%20of%20the%20use%20of%20or%20inability%20to%20use%20the%20sample%20scripts%20or%20documentation%2C%20even%20if%20Microsoft%20has%20been%20advised%20of%20the%20possibility%20of%20such%20damages.%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2417418%22%20slang%3D%22en-US%22%3E%3CP%3ESecurity%20is%20never%20too%20much%2C%20isn't%20it%3F%3CBR%20%2F%3EIn%20this%20article%20I%20explain%20how%20to%20pull%20a%20Container%20Image%20from%20ACR%20without%20exposing%20credentials%20using%20Azure%20Key%20Vault.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2417418%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDanielRibeiro%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2436728%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Web%20App%20for%20Containers%3A%20Pulling%20a%20Container%20Image%20from%20ACR%20Without%20Exposing%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2436728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1075846%22%20target%3D%22_blank%22%3E%40cnooney%3C%2FA%3E%2C%20admin%20account%20is%20required%20only%20for%20some%20scenarios%2C%20for%20example%3A%20deploy%20a%20container%20through%20Azure%20Portal.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20a%20production%20environment%20you%20can%20use%20some%20other%20authentication%20strategy%2C%20for%20example%3A%20service%20principal.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdmin%20Account%20is%20recommended%20for%20testing%20purposes%20only.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jun 10 2021 12:09 PM
Updated by: