Merge pull request #291916 from craigshoemaker/aca/jason/353435

Jill Grant · web-flow · commit 45602b945e36 · 2024-12-12T16:26:06.000-07:00
[Container Apps] Add MI to Code to Cloud tutorial
diff --git a/articles/container-apps/managed-identity-image-pull.md b/articles/container-apps/managed-identity-image-pull.md
@@ -458,8 +458,7 @@ $AppArgs = @{
     ResourceGroupName = $ResourceGroupName
     ManagedEnvironmentId = $EnvId
     ConfigurationRegistry = $CredentialObject
-    IdentityType = 'UserAssigned'
-    IdentityUserAssignedIdentity = @{ $IdentityId = @{ } }
+    UserAssignedIdentity = @($IdentityId)
     TemplateContainer = $TemplateObj
     IngressTargetPort = 80
     IngressExternal = $true
diff --git a/articles/container-apps/tutorial-code-to-cloud.md b/articles/container-apps/tutorial-code-to-cloud.md
@@ -9,7 +9,7 @@ ms.custom:
   - devx-track-azurepowershell
   - ignite-2023
 ms.topic: tutorial
-ms.date: 05/11/2022
+ms.date: 12/12/2024
 ms.author: cshoe
 zone_pivot_groups: container-apps-image-build-type
 ---
@@ -24,7 +24,7 @@ This is the first tutorial in the series of articles that walk you through how t
 > [!NOTE]
 > You can also build and deploy this app using the [az containerapp up](/cli/azure/containerapp#az_containerapp_up) by following the instructions in the [Quickstart: Build and deploy an app to Azure Container Apps from a repository](quickstart-code-to-cloud.md) article.  The `az containerapp up` command is a fast and convenient way to build and deploy your app to Azure Container Apps using a single command. However, it doesn't provide the same level of customization for your container app.
 
- The next tutorial in the series will build and deploy the front end web application to Azure Container Apps.
+The next tutorial in the series will build and deploy the front end web application to Azure Container Apps.
 
 The following screenshot shows the output from the album API deployed in this tutorial.
 
@@ -145,23 +145,126 @@ cd code-to-cloud/src
 
 ## Create an Azure Container Registry
 
-After the album API container image is built, create an Azure Container Registry (ACR) instance in your resource group to store it.
+1. After the album API container image is built, create an Azure Container Registry (ACR) instance in your resource group to store it.
+
+    # [Bash](#tab/bash)
+
+    ```azurecli
+    az acr create \
+        --resource-group $RESOURCE_GROUP \
+        --location $LOCATION \
+        --name $ACR_NAME \
+        --sku Basic
+    ```
+
+    # [Azure PowerShell](#tab/azure-powershell)
+
+    ```azurepowershell
+    $acr = New-AzContainerRegistry `
+        -ResourceGroupName $ResourceGroup `
+        -Location $Location `
+        -Name $ACRName `
+        -Sku Basic
+    ```
+
+    ---
+
+1. Your container registry must allow Azure Resource Manager (ARM) audience tokens for authentication in order to use managed identity to pull images.
+
+    Use the following command to check if ARM tokens are allowed to access your Azure Container Registry (ACR).
+
+    # [Bash](#tab/bash)
+    
+    ```azurecli
+    az acr config authentication-as-arm show --registry "$ACR_NAME"
+    ```
+
+    If ARM tokens are allowed, the command outputs the following.
+
+    ```
+    {
+      "status": "enabled"
+    }
+    ```
+
+    If the `status` is `disabled`, allow ARM tokens with the following command.
+
+    ```azurecli
+    az acr config authentication-as-arm update --registry "$ACR_NAME" --status enabled
+    ```
+
+    # [Azure PowerShell](#tab/azure-powershell)
+    
+    ```azurepowershell
+    $acr.AzureAdAuthenticationAsArmPolicyStatus
+    ```
+
+    If the command returns `disabled`, allow ARM tokens with the following command.
+
+    ```azurepowershell
+    Update-AzContainerRegistry `
+        -ResourceGroupName $acr.ResourceGroupName `
+        -Name $acr.Name `
+        -AzureAdAuthenticationAsArmPolicyStatus enabled
+    ```
+
+    ---
+
+## Create a user-assigned managed identity
+
+To avoid using administrative credentials, pull images from private repositories in Microsoft Azure Container Registry using managed identities for authentication. When possible, use a user-assigned managed identity to pull images.
 
 # [Bash](#tab/bash)
 
-```azurecli
-az acr create \
-  --resource-group $RESOURCE_GROUP \
-  --name $ACR_NAME \
-  --sku Basic \
-  --admin-enabled true
-```
+1. Create a user-assigned managed identity. Before you run the following commands, choose a name for your managed identity and replace the `\<PLACEHOLDER\>` with the name.
+
+    ```bash
+    IDENTITY="<YOUR_IDENTITY_NAME>"
+    ```
+
+    ```azurecli
+    az identity create \
+        --name $IDENTITY \
+        --resource-group $RESOURCE_GROUP
+    ```
+
+1. Get the identity's resource ID.
+
+    ```azurecli
+    IDENTITY_ID=$(az identity show \
+        --name $IDENTITY \
+        --resource-group $RESOURCE_GROUP \
+        --query id \
+        --output tsv)
+    ```
 
 # [Azure PowerShell](#tab/azure-powershell)
 
-```azurepowershell
-$acr = New-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $ACRName -Sku Basic -EnableAdminUser
-```
+1. Create a user-assigned managed identity. Before you run the following commands, choose a name for your managed identity and replace the `\<PLACEHOLDER\>` with the name.
+
+    ```azurepowershell
+    $IdentityName="<YOUR_IDENTITY_NAME>"
+    $Identity = New-AzUserAssignedIdentity -ResourceGroupName $ResourceGroup -Name $IdentityName
+    ```
+
+1. Get the identity's resource and principal ID. 
+
+    ```azurepowershell
+    $IdentityId = $Identity.Id
+    $PrincipalId = (Get-AzUserAssignedIdentity -Name $IdentityName -ResourceGroupName $ResourceGroup).PrincipalId
+    ```
+
+1. Get the registry's resource ID. Before you run the following command, replace the *\<placeholders\>* with the resource group name for your registry.
+
+    ```azurepowershell
+    $RegistryId = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $ACRName).Id
+    ```
+
+1. Create the `acrpull` role assignment for the identity.
+
+    ```azurepowershell
+    New-AzRoleAssignment -ObjectId $PrincipalId -Scope $RegistryId -RoleDefinitionName acrpull
+    ```
 
 ---
 
@@ -183,8 +286,18 @@ az acr build --registry $ACR_NAME --image $API_NAME .
 
 # [Azure PowerShell](#tab/azure-powershell)
 
-```azurepowershell
-az acr build --registry $ACRName --image $APIName .
+The `az acr build` command does not have a PowerShell equivalent, but can be run in PowerShell.
+
+To sign into Azure with the Azure CLI, run the following command and follow the prompts to complete the authentication process.
+
+```powershell
+az login
+```
+
+Then build the container.
+
+```powershell
+az acr build --registry $AcrName --image $APIName .
 ```
 
 ---
@@ -197,7 +310,7 @@ Output from the `az acr build` command shows the upload progress of the source c
 
 ## Build your application
 
-The following steps, demonstrate how to build your container image locally using Docker and push the image to the new container registry.
+The following steps show how to build your container image locally using Docker and push the image to the new container registry.
 
 ### Build the container with Docker
 
@@ -229,8 +342,8 @@ az acr login --name $ACR_NAME
 
 # [Azure PowerShell](#tab/azure-powershell)
 
-```powershell
-az acr login --name $ACRName
+```azurepowershell
+Connect-AzContainerRegistry -Name $ACRName
 ```
 
 ---
@@ -239,13 +352,13 @@ Now, push the image to your registry.
 
 # [Bash](#tab/bash)
 
-```azurecli
+```bash
 docker push $ACR_NAME.azurecr.io/$API_NAME
 ```
 
 # [Azure PowerShell](#tab/azure-powershell)
 
-```powershell
+```bash
 docker push "$ACRName.azurecr.io/$APIName"
 ```
 
@@ -319,6 +432,8 @@ az containerapp create \
   --target-port 8080 \
   --ingress external \
   --registry-server $ACR_NAME.azurecr.io \
+  --user-assigned "$IDENTITY_ID" \
+  --registry-identity "$IDENTITY_ID" \
   --query properties.configuration.ingress.fqdn
 ```
 
@@ -328,67 +443,65 @@ az containerapp create \
 
 * Without a `query` property, the call to `az containerapp create` returns a JSON response that includes a rich set of details about the application. Adding a query parameter filters the output to just the app's fully qualified domain name (FQDN).
 
+* This command adds the `acrPull` role to your user-assigned managed identity, so it can pull images from your container registry.
+
 # [Azure PowerShell](#tab/azure-powershell)
 
 To create the container app, create template objects that you pass in as arguments to the `New-AzContainerApp` command.
 
-Create a template object to define your container image parameters.
-
-```azurepowershell
-$ImageParams = @{
-    Name = $APIName
-    Image = $ACRName + '.azurecr.io/' + $APIName + ':latest'
-}
-$TemplateObj = New-AzContainerAppTemplateObject @ImageParams
-```
-
-Run the following command to get your registry credentials.
-
-```azurepowershell
-$RegistryCredentials = Get-AzContainerRegistryCredential -Name $ACRName -ResourceGroupName $ResourceGroup
-```
-
-Create a registry credential object to define your registry information, and a secret object to define your registry password. The `PasswordSecretRef` refers to the `Name` in the secret object.
-
-```azurepowershell
-$RegistryArgs = @{
-    Server = $ACRName + '.azurecr.io'
-    PasswordSecretRef = 'registrysecret'
-    Username = $RegistryCredentials.Username
-}
-$RegistryObj = New-AzContainerAppRegistryCredentialObject @RegistryArgs
-
-$SecretObj = New-AzContainerAppSecretObject -Name 'registrysecret' -Value $RegistryCredentials.Password
-```
-
-Get your environment ID.
-
-```azurepowershell
-$EnvId = (Get-AzContainerAppManagedEnv -EnvName $Environment -ResourceGroup $ResourceGroup).Id
-```
-
-Create the container app.
-
-```azurepowershell
-$AppArgs = @{
-    Name = $APIName
-    Location = $Location
-    ResourceGroupName = $ResourceGroup
-    ManagedEnvironmentId = $EnvId
-    TemplateContainer = $TemplateObj
-    ConfigurationRegistry = $RegistryObj
-    ConfigurationSecret = $SecretObj
-    IngressTargetPort = 8080
-    IngressExternal = $true
-}
-$MyApp = New-AzContainerApp @AppArgs
-
-# show the app's fully qualified domain name (FQDN).
-$MyApp.IngressFqdn
-```
-
-* By setting `IngressExternal` to `external`, your container app is accessible from the public internet.
-* The `IngressTargetPort` parameter is set to `8080` to match the port that the container is listening to for requests.
+1. Create a template object to define your container image parameters.
+
+    ```azurepowershell
+    $ImageParams = @{
+        Name = $APIName
+        Image = $ACRName + '.azurecr.io/' + $APIName + ':latest'
+    }
+    $TemplateObj = New-AzContainerAppTemplateObject @ImageParams
+    ```
+
+1. Create a registry credential object to define your registry information.
+
+    ```azurepowershell
+    $RegistryArgs = @{
+        Server = $ACRName + '.azurecr.io'
+        Identity = $IdentityId
+    }
+    $RegistryObj = New-AzContainerAppRegistryCredentialObject @RegistryArgs
+    ```
+
+1. Get your environment ID.
+
+    ```azurepowershell
+    $EnvId = (Get-AzContainerAppManagedEnv -EnvName $Environment -ResourceGroup $ResourceGroup).Id
+    ```
+
+1. Create the container app.
+
+    ```azurepowershell
+    $AppConfig = @{
+        IngressTargetPort = 8080
+        IngressExternal = $true
+        Registry = $RegistryObj
+    }
+    $AppConfigObj = New-AzContainerAppConfigurationObject @AppConfig
+
+    $AppArgs = @{
+        Name = $APIName
+        Location = $Location
+        ResourceGroupName = $ResourceGroup
+        ManagedEnvironmentId = $EnvId
+        TemplateContainer = $TemplateObj
+        Configuration = $AppConfigObj
+        UserAssignedIdentity = @($IdentityId)
+    }
+    $MyApp = New-AzContainerApp @AppArgs
+
+    # Show the app's fully qualified domain name (FQDN).
+    $MyApp.LatestRevisionFqdn
+    ```
+
+    * By setting `IngressExternal` to `$true`, your container app is accessible from the public internet.
+    * The `IngressTargetPort` parameter is set to `8080` to match the port that the container is listening to for requests.
 
 ---
 
