Question posted in 
Deployed an Azure App service for Containers with a custom image (from Centos 7 base image).
Based on the following documentation There is an environment variable that should be set by Azure and used for creating the REST API request to obtain an access token:
- IDENTITY_ENDPOINT – the URL to the local token service.
However, when checking inside the container, this variable is not set:
[root@f22dfd74be31 ~]# echo $IDENTITY_ENDPOINT
(empty result here)
I’ve also tried to invoke az cli, which fails as well:
[root@f22dfd74be31 ~]# az login -i
AzureConnectionError: Failed to connect to MSI. Please make sure MSI is configured correctly
and check the network connection.
Error detail: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with
url: /metadata/identity/oauth2/token?resource=https%3
A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9e0c4
c72e8>: Failed to establish a new connection: [Errno 110] Connection timed out',))
I’ve successfully used managed identity with both Virtual machines and App Service (code deployment not containers), is it supported with App Service for containers, with custom containers?
2
Answers
When working with App service for containers the "platform" environment variables, including managed identity and app settings are only available when the container is initialized. In order to make these variables accessible from the container, the following line must be incorporated in the container startup script (called from Dockerfile ENTRYPOINT):
It should support MSI, make sure you enable the MSI like below.
Besides, step 4 in this doc also mentions the CLI command to enable MSI.