我想创建一个azure容器应用程序,它从位于不同订阅中的现有azure容器应用程序注册表中提取其图像。
我的主要二头肌:
- 创建分配给用户的托管标识
- 将托管身份的ACR Pull RBAC角色授予容器注册表
- 创建容器应用程序,为用户分配托管身份(我依赖于上面的角色分配)。
我的问题是,它给出了以下错误:
"code": "InvalidParameterValueInContainerTemplate",
"message": "The following field(s) are either invalid or missing. Field 'template.containers.capp-devops-shared-001.image' is invalid with details: 'Invalid value: \"crbicepregistryprod001.azurecr.io/devops-agent:latest\": GET https:?scope=repository%3Adevops-agent%3Apull&service=crbicepregistryprod001.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';."字符串
这是我的主要。bicep:
@description('Specifies the location for all resources.')
param location string = resourceGroup().location
param tags object = contains(resourceGroup(), 'tags') ? resourceGroup().tags : {}
@description('Specifies the docker container image to deploy.')
param containerImage string = 'crbicepregistryprod001.azurecr.io/devops-agent:latest'
@description('Specifies the container port.')
param targetPort int = 80
@description('Number of CPU cores the container can use. Can be with a maximum of two decimals.')
@allowed([
'0.25'
'0.5'
'0.75'
'1'
'1.25'
'1.5'
'1.75'
'2'
])
param cpuCore string = '0.25'
@description('Amount of memory (in gibibytes, GiB) allocated to the container up to 4GiB. Can be with a maximum of two decimals. Ratio with CPU cores must be equal to 2.')
@allowed([
'0.5'
'1'
'1.5'
'2'
'3'
'3.5'
'4'
])
param memorySize string = '0.5'
@description('Minimum number of replicas that will be deployed')
@minValue(0)
@maxValue(25)
param minReplicas int = 1
@description('Maximum number of replicas that will be deployed')
@minValue(0)
@maxValue(25)
param maxReplicas int = 3
var baseResourceName = replace(resourceGroup().name, 'rg-', '')
var logAnalyticsName = 'log-${baseResourceName}'
var containerAppName = 'capp-${baseResourceName}'
var containerAppEnvName = 'cappenv-${baseResourceName}'
resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-06-01-preview' = {
name: containerAppEnvName
location: location
sku: {
name: 'Consumption'
}
properties: {
appLogsConfiguration: {
destination: 'log-analytics'
logAnalyticsConfiguration: {
customerId: logAnalytics.properties.customerId
sharedKey: logAnalytics.listKeys().primarySharedKey
}
}
}
}
resource containerIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: 'managedId'
location: location
}
resource containerApp 'Microsoft.App/containerApps@2022-06-01-preview' = {
name: containerAppName
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${containerIdentity.id}': {}
}
}
properties: {
managedEnvironmentId: containerAppEnv.id
configuration: {
ingress: {
external: true
targetPort: targetPort
allowInsecure: false
traffic: [
{
latestRevision: true
weight: 100
}
]
}
}
template: {
revisionSuffix: 'firstrevision'
containers: [
{
name: containerAppName
image: containerImage
resources: {
cpu: json(cpuCore)
memory: '${memorySize}Gi'
}
}
]
scale: {
minReplicas: minReplicas
maxReplicas: maxReplicas
}
}
}
dependsOn: [
roleAssignment
]
}
resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: logAnalyticsName
location: location
tags: tags
properties: {
retentionInDays: 30
}
}
var registrySubscriptionId = 'e90a0a8a-f5a7-4450-9745-07a5246740eb'
var registryResourceGroupName = 'rg-bicepregistry-prod-001'
module roleAssignment 'rg-acr-role-assignment.bicep' = {
name: 'roleAssignment'
scope: resourceGroup(registrySubscriptionId, registryResourceGroupName)
params: {
containerAppPrincipalId: containerIdentity.properties.principalId
}
}
output containerAppFQDN string = containerApp.properties.configuration.ingress.fqdn型
这是它调用的模块,用于应用角色分配:
param containerAppPrincipalId string
var registryName = 'crbicepregistryprod001'
// Get a reference to the existing ACR
resource existingACR 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
name: registryName
}
//assign role for container app onto container registry
var acrPullRole = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(containerAppPrincipalId, 'AcrPull')
scope: existingACR
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRole)
principalId: containerAppPrincipalId
}
}型
在失败的部署结束后,我使用Azure门户检查了容器注册表范围内的角色分配,看起来很好-托管身份具有AcrPull角色。所以,我很困惑,为什么会出现错误?
1条答案
按热度按时间flvtvl501#
再次感谢托马斯为我指明了正确的方向。我还发现了this很棒的文章,给出了示例,例如:
字符串