Remove the SAMI and use only UAMI

ggailey777 · ggailey777 · commit aa13fbe989d3 · 2025-02-23T10:26:22.000-08:00
diff --git a/articles/azure-functions/functions-deploy-container-apps.md b/articles/azure-functions/functions-deploy-container-apps.md
@@ -24,19 +24,12 @@ Before you can deploy your container to Azure, you need to create three resource
 * A [resource group](../azure-resource-manager/management/overview.md), which is a logical container for related resources.
 * A [Storage account](../storage/common/storage-account-create.md), which is used to maintain state and other information about your functions.
 * An Azure Container Apps environment with a Log Analytics workspace.
-* A managed identity that enables your function app to securely connect to the Azure Container Registry instance using Microsoft Entra authentication, which can be one of these to kinds identity:
+* A user-assigned managed identity that enables your function app to securely connect, using Microsoft Entra authentication, to both the Azure Storage account and to the Azure Container Registry instance, when deploying from a container registry instance. While you can use the system-assigned managed identity that belongs to only your app, you can have more than one user-assigned managed identity assigned to your app. This is the recommended type of identity for this scenario.
 
-    ### [User-assigned](#tab/user-assigned)
-    An independent Azure resource assigned to your app that is used for role-based authorization. You can have more than one user-assigned managed identity assigned to your app. This is the recommended type of identity for this scenario.
+>[!NOTE]  
+>Docker Hub doesn't support managed identities. 
 
-    ### [System-assigned](#tab/system-assigned)
-    A managed identity that belongs to only your app. There is only one system-assigned managed identity for a given app. 
-
-    ---
-
-Docker Hub doesn't support managed identities. 
-
-Use the following commands to create these items. 
+Use these commands to create your required Azure resources: 
 
 1. If you haven't done so already, sign in to Azure.
 
@@ -85,31 +78,24 @@ Use the following commands to create these items.
 
     In the previous example, replace `<STORAGE_NAME>` with a name that is appropriate to you and unique in Azure Storage. Storage names must contain 3 to 24 characters numbers and lowercase letters only. `Standard_LRS` specifies a general-purpose account [supported by Functions](storage-considerations.md#storage-account-requirements).
 
-1. Create a managed identity and grant it pull permissions in your registry instance. _This step only applies when using Azure Container Registry._
+1. Create a managed identity and grant it access to your storage account and pull permissions in your registry instance. 
 
-    ### [User-assigned](#tab/user-assigned)
     ```azurecli
     ACR_ID=$(az acr show --name <REGISTRY_NAME> --query id --output tsv)
+    
     UAMI_ID=$(az identity create --name <USER_IDENTITY_NAME> --resource-group AzureFunctionsContainers-rg --location eastus --query principalId -o tsv) 
     az role assignment create --assignee $UAMI_ID --role acrpull --scope $ACR_ID
     ```
 
     The [`az identity create`](/cli/azure/identity#az-identity-create) command creates a user-assigned managed identity and the [`az role assignment create`](/cli/azure/role/assignment#az-role-assignment-create) adds your identity to the `acrpull` role in your registry. Replace `<REGISTRY_NAME>` and `<USER_IDENTITY_NAME>` with the name your existing container registry and name for your managed identity, respectively. The managed identity can now be used by an app to access Azure Container Registry without using shared secrets.  
-    
-    ### [System-assigned](#tab/system-assigned)
-
-    Proceed to the next section to create a system-assigned managed identity automatically when you create your app. 
-
-    ---
-
   
 ## Create and configure a function app on Azure with the image
 
 A function app on Azure manages the execution of your functions in your Azure Container Apps environment. In this section, you use the Azure resources from the previous section to create a function app from an image in a container registry in a Container Apps environment. You also configure the new environment with a connection string to the required Azure Storage account.
 
 Use the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command to create a function app in the new managed environment backed by Azure Container Apps. In [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create), the `--environment` parameter specifies the Container Apps environment. 
 
-### [Azure Container Registry](#tab/acr/user-assigned)
+### [Azure Container Registry](#tab/acr)
 
 >[!TIP]  
 > To make sure that your function app uses a managed identity-based connection to your registry instance, don't set the `--image` parameter in `az functionapp create`. When you set `--image` to the fully-qualified name of your image in the repository, shared secret credentials are obtained from your registry and stored in app settings. 
@@ -136,50 +122,12 @@ In addition to the required site settings, the [`az resource patch`](/cli/azure/
 
 In this example, replace `<APP_NAME>`, `<REGISTRY_NAME>`, and `<USER_IDENTITY_NAME>` with the names of your function app, container registry, and identity, respectively.  
 
-### [Azure Container Registry](#tab/acr/system-assigned)
-
->[!TIP]  
-> To make sure that your function app uses a managed identity-based connection to your registry instance, don't set the `--image` parameter in `az functionapp create`. When you set `--image` to the fully-qualified name of your image in the repository, shared secret credentials are obtained from your registry and stored in app settings. 
-
-First use the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command to create a function app using the default image and with a system-assigned managed identity enabled. 
-
-```azurecli
-az functionapp create --name <APP_NAME> --storage-account <STORAGE_NAME> --environment MyContainerappEnvironment --workload-profile-name "Consumption" --resource-group AzureFunctionsContainers-rg --functions-version 4 --assign-identity
-```
-
-In [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create), using `--assign-identity` enables a system-assigned managed identity for your new app. Because you didn't set the `--image` parameter in `az functionapp create`, the application is created using a placeholder image. 
-
-In this example, replace `<APP_NAME>` and `<STORAGE_NAME>` with a name for your new function app. 
-
-Finally, you must update the [`linuxFxVersion`](./functions-app-settings.md#linuxfxversion) site setting to the fully-qualified name of your image in the repository. You must also update the [`acrUseManagedIdentityCreds`](./functions-app-settings.md#acrusemanagedidentitycreds) site settings so that managed identities are used when obtaining the image from the registry.   
-
-```azurecli
-UAMI_RESOURCE_ID=$(az identity show --name <USER_IDENTITY_NAME> --resource-group AzureFunctionsContainers-rg --query id -o tsv)
-az resource patch --resource-group AzureFunctionsContainers-rg --name <APP_NAME> --resource-type "Microsoft.Web/sites" --properties "{ \"siteConfig\": { \"linuxFxVersion\": \"DOCKER|<REGISTRY_NAME>.azurecr.io/azurefunctionsimage:v1.0.0\", \"acrUseManagedIdentityCreds\": true, \"appSettings\": [{\"name\": \"DOCKER_REGISTRY_SERVER_URL\", \"value\": \"<REGISTRY_NAME>.azurecr.io\"}]}}"
-```
-
-In addition to the required site settings, the [`az resource patch`](/cli/azure/resource#az-resource-patch) command also updates the [`DOCKER_REGISTRY_SERVER_URL`](./functions-app-settings.md#docker_registry_server_url) app setting to the URL of your registry server.
-
-In this example, replace `<APP_NAME>`, `<REGISTRY_NAME>`, and `<USER_IDENTITY_NAME>` with the names of your function app, container registry, and identity, respectively.  
-
-### [Docker Hub](#tab/docker/user-assigned)
-
-First use the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command to create a function app using the image from your container repository.
-
-```azurecli
-az functionapp create --name <APP_NAME> --storage-account <STORAGE_NAME> --environment MyContainerappEnvironment --workload-profile-name "Consumption" --resource-group AzureFunctionsContainers-rg --functions-version 4 --image <DOCKER_ID>/azurefunctionsimage:v1.0.0 
-```
-
-In the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command, the `--environment` parameter specifies the Container Apps environment and the `--image` parameter specifies the image to use for the function app. In this example, replace `<STORAGE_NAME>` with the name you used in the previous section for the storage account. Also, replace `<APP_NAME>` with a globally unique name appropriate to you and `<DOCKER_ID>` with your public Docker Hub account ID. 
-
-If you're using a private registry, you need to include the fully qualified domain name of your registry instead of just the Docker ID for `<DOCKER_ID>`, along with the `--registry-username` and `--registry-password` credential required to access the registry. 
-
-### [Docker Hub](#tab/docker/system-assigned)
+### [Docker Hub](#tab/docker)
 
-First use the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command to create a function app using the image from your container repository.
+First you must get fully-qualified ID value of your user-assigned managed identity, and then use the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command to create a function app using the default image and with this identity assigned to it.
 
 ```azurecli
-az functionapp create --name <APP_NAME> --storage-account <STORAGE_NAME> --environment MyContainerappEnvironment --workload-profile-name "Consumption" --resource-group AzureFunctionsContainers-rg --functions-version 4 --image <DOCKER_ID>/azurefunctionsimage:v1.0.0 
+az functionapp create --name <APP_NAME> --storage-account <STORAGE_NAME> --environment MyContainerappEnvironment --workload-profile-name "Consumption" --resource-group AzureFunctionsContainers-rg --functions-version 4 --assign-identity --image <DOCKER_ID>/azurefunctionsimage:v1.0.0  
 ```
 
 In the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command, the `--environment` parameter specifies the Container Apps environment and the `--image` parameter specifies the image to use for the function app. In this example, replace `<STORAGE_NAME>` with the name you used in the previous section for the storage account. Also, replace `<APP_NAME>` with a globally unique name appropriate to you and `<DOCKER_ID>` with your public Docker Hub account ID. 
