I am having trouble setting the Registry Identity when creating an Web App using Bicep.
When I do it manually in Azure UI it works, but I want to do it with Bicep.
I thought that this section should do the trick but for some reason it is not assigning it.
Do you have any idea what is the proper syntax ?
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true
siteConfig: {
linuxFxVersion: 'DOTNETCORE|8.0'
acrUseManagedIdentityCreds: true // --this is new to test the managed identity
acrUserManagedIdentityID: managedIdentity.id
}
}
Here is my "full" bicep script:
var appServicePlanName = '${environmentName}-${solutionName}-plan'
var appServiceAppName = '${environmentName}-${solutionName}-app'
var sqlServerName = '${environmentName}-${solutionName}-sql'
var sqlDatabaseName = 'dis-${environmentName}'
var managedIdentityName = '${environmentName}-${solutionName}-mi'
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: managedIdentityName
location: location
}
resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
name: sqlServerName
location: location
properties: {
administratorLogin: sqlServerLogin
administratorLoginPassword: sqlServerPassword
}
}
resource allowAccessToAzureServices 'Microsoft.Sql/servers/firewallRules@2023-08-01-preview' = {
parent: sqlServer
name: 'AllowAccessToAzureServices'
properties: {
startIpAddress: '0.0.0.0'
endIpAddress: '0.0.0.0'
}
}
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
parent: sqlServer
name: sqlDatabaseName
location: location
sku: {
name: sqlDatabaseSku.name
tier: sqlDatabaseSku.tier
}
}
resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = {
name: appServicePlanName
location: location
sku: {
name: appServicePlanSku.name
tier: appServicePlanSku.tier
capacity: appServicePlanInstanceCount
}
kind: 'linux'
properties: {
reserved: true
}
}
resource appServiceApp 'Microsoft.Web/sites@2023-01-01' = {
name: appServiceAppName
location: location
kind: 'app,linux,container'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true
siteConfig: {
linuxFxVersion: 'DOTNETCORE|8.0'
acrUseManagedIdentityCreds: true // --this is new to test the managed identity
acrUserManagedIdentityID: managedIdentity.id
}
}
}
resource logs 'Microsoft.Web/sites/config@2023-01-01' = {
name: 'logs'
parent: appServiceApp
properties: {
applicationLogs: {
fileSystem: { level: 'Verbose' }
}
detailedErrorMessages: { enabled: true }
httpLogs: {
fileSystem: { retentionInDays: 7, enabled: true }
}
}
}
Here is an example of manually setting the identity in the UI:
2
Answers
The Bicep template is specifying a runtime stack, which configures your App Service for code-based deployment:
linuxFxVersion: 'DOTNETCORE|8.0'From your screenshot, it looks like you want to use container-based deployment instead. To do that the Bicep template would need to reference a valid image in an Azure Container Registry:
linuxFxVersion: 'DOCKER|${yourRegistryName}.azurecr.io:myimage:latest'To access the container image, the user-managed identity assigned to the App Service would need RBAC on the registry – likely the acrPull permission. The identity can be assigned that permission before creating the App Service.
linuxFxVersionalso need been modified.here is an example1
here is an example2