4

Deployed an Azure App service for Containers with a custom image (from Centos 7 base image). Based on the following documentation There is an environment variable that should be set by Azure and used for creating the REST API request to obtain an access token:

  • IDENTITY_ENDPOINT - the URL to the local token service.

However, when checking inside the container, this variable is not set:

[root@f22dfd74be31 ~]# echo $IDENTITY_ENDPOINT (empty result here)

I've also tried to invoke az cli, which fails as well:

[root@f22dfd74be31 ~]# az login -i AzureConnectionError: Failed to connect to MSI. Please make sure MSI is configured correctly and check the network connection. Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?resource=https%3 A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9e0c4 c72e8>: Failed to establish a new connection: [Errno 110] Connection timed out',))

I've successfully used managed identity with both Virtual machines and App Service (code deployment not containers), is it supported with App Service for containers, with custom containers?

Improve this question
3
  • yes supported but not in GA azure.microsoft.com/en-us/blog/… Commented Dec 26, 2020 at 3:52
  • @Sajeetharan that blog post is over two years old ;) I believe it should be GA and working. So you probably should open a support case if possible Commented Dec 26, 2020 at 11:31
  • yeah, created a support case, I wanted to check if someone already implemented it successfully. Another thing I noticed is that setting variables on application settings isn't propagated to an environment variable inside the container. Commented Dec 26, 2020 at 17:30

2 Answers 2

Reset to default
10

When working with App service for containers the "platform" environment variables, including managed identity and app settings are only available when the container is initialized. In order to make these variables accessible from the container, the following line must be incorporated in the container startup script (called from Dockerfile ENTRYPOINT):

eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Oh man, this is a lifesaver, spend few days trying to figure it out and this works perferctly!!
Hey can you explain exactly where the eval command in the answer should be placed? I have created a run.sh script (used as the ENTRYPOINT in my dockerfile) with the first line being the command above and the next line being my executable launch command. Is this correct? It doesn't seem to solve the 400 error from the /msi/token endpoint for me.
It seems to be available automatically now, only if the app service has a managed identity assigned to it
Do you have any link to official documentation or any other related documentation that explain this workaround ?
0

It should support MSI, make sure you enable the MSI like below.

enter image description here

Besides, step 4 in this doc also mentions the CLI command to enable MSI.

az webapp identity assign --resource-group AppSvc-DockerTutorial-rg --name <app-name> --query principalId --output tsv
Improve this answer

1 Comment

As it says on the question, I have configured MI in the past with both Virtual machines and App Service (code), so I know how to set system and user managed identity. the issue is that the IDENTITY_ENDPOINT environment variable is not exported inside the custom container. It is also listed on the Environment tab of Advances tools (Kudo), but again not propagated inside the container.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.