Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Creation of Azure Containerapp Job even when create_acrpull_role_assignment fails #28935

Open
glM26 opened this issue May 10, 2024 · 1 comment
Open

Allow Creation of Azure Containerapp Job even when create_acrpull_role_assignment fails #28935

glM26 opened this issue May 10, 2024 · 1 comment
Labels
Auto-Assign Auto assign by bot ContainerApp customer-reported Issues that are reported by GitHub users external to the Azure organization. Service Attention This issue is responsible by Azure service team.

Comments

@glM26
Copy link

glM26 commented May 10, 2024

Related command
az containerapp job create -n mycontainerappsjob -g rg --trigger-type Manual --parallelism 1
--image "myacr.azurecr.io/my-image:latest" --mi-user-assigned identity
--registry-server myacr.azurecr.io
--replica-timeout 1800 --replica-retry-limit 1 --environment my-env --replica-completion-count 1
--registry-identity identity

Is your feature request related to a problem? Please describe.
We have already assigned the ACR Pull role to the managed-identity (using another user with higher privileges).
Now we want to execute above command to create a Containerapp Job using the managed identity to pull the image from ACR.
The user we execute above command with, does not have permissions to view assigned roles or assign roles for the managed identity.
So although the managed identity already has the ACR Pull role, the "az containerapp job create" fails, because it tries to assign the role:
https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/containerapp/_utils.py#L1656

Failed to query identity-id by invoking Graph API. If you don't have permission to query Graph API, please specify --assignee-object-id and --assignee-principal-typ e.

Describe the solution you'd like
I was able to make the command work by manually removing the line https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/containerapp/_utils.py#L1656 from my local installation.
Maybe ignore errors during create_acrpull_role_assignment or add an option to not assign the ACR Pull role during creation of the containerapp job.

Describe alternatives you've considered
For Containerapps (not jobs), I was able to proceed in two steps, as outlined in https://learn.microsoft.com/en-us/azure/container-apps/managed-identity-image-pull?tabs=azure-cli&pivots=azure-portal

  • Create the Containerapp with a public sample image
  • Use az containerapp registry to change the registry to our internal registry using the managed identity (this apparently does not try to create the role assignment)

Unfortunately az containerapp registry is not available for jobs.
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ContainerApp Service Attention This issue is responsible by Azure service team. labels May 10, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented May 10, 2024

Thank you for opening this issue, we will look into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auto-Assign Auto assign by bot ContainerApp customer-reported Issues that are reported by GitHub users external to the Azure organization. Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glM26 @yonzhan