Merge branch 'ami-updates' of https://github.com/cebundy/azure-docs-pr

cebundy · cebundy · commit e43486c56f99 · 2022-05-11T15:58:08.000-07:00
diff --git a/articles/container-apps/containers.md b/articles/container-apps/containers.md
@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: conceptual
-ms.date: 02/18/2022
+ms.date: 05/11/2022
 ms.author: cshoe
 ms.custom: ignite-fall-2021
 ---
@@ -21,10 +21,10 @@ Azure Container Apps supports:
 - Any Linux-based x86-64 (`linux/amd64`) container image
 - Containers from any public or private container registry
 
-Additional features include:
+Features include:
 
-- There is no required base container image.
-- Changes to the `template` ARM configuration section triggers a new [container app revision](application-lifecycle-management.md).
+- There's no required base container image.
+- Changes to the `template` ARM configuration section trigger a new [container app revision](application-lifecycle-management.md).
 - If a container crashes, it automatically restarts.
 
 > [!NOTE]
@@ -141,6 +141,53 @@ The following example shows how to deploy an app from the Azure Container Regist
 }
 ```
 
+###  Managed identity with Azure Container Registry
+
+You can use an Azure managed identity to authenticate with Azure Container Registry instead of using a username and password. To use a managed identity, assign a system-assigned or user-assigned managed identity to your container app, then specify the managed identity you want to use for each registry using the managed identity resource ID for user-assigned, or "system" for system-assigned. 
+
+```json
+{
+    "identity": {
+        "type": "SystemAssigned,UserAssigned",
+        "userAssignedIdentities": {
+            "<IDENTITY1_RESOURCE_ID>": {}
+        }
+    }
+    "properties": {
+        "configuration": {
+            "registries": [
+            {
+                "server": "myacr1.azurecr.io",
+                "identity": "<IDENTITY1_RESOURCE_ID>"
+            },
+            {
+                "server": "myacr2.azurecr.io",
+                "identity": "system"
+            }]
+        }
+        ...
+    }
+}
+```
+
+The managed identity must have `AcrPull` access on the Azure Container Registry. For more information about assigning Azure Container Registry permissions to managed identities, see [Authenticate with managed identity](../container-registry/container-registry-authentication-managed-identity).
+
+System-assigned identities are created at the time your container app is created, and therefore, won't have `AcrPull` access to your Azure Container Registry.  As a result, the image can't be pulled from your private registry when your app is first deployed.
+
+To configure a system-assigned identity, you must use one of the following methods.
+
+Use a public registry for the initial deployment:
+
+1. Create your container app using a public image and a system-assigned identity.
+1. Give the new system-assigned identity `AcrPull` access to your private Azure Container Registry.
+1. Update your container app replacing the public image with the image from your private Azure Container Registry.
+
+Restart your app after assigning permissions:
+
+1. Create your container app using a private image and a system-assigned identity. (The deployment will result in a failure to pull the image.)
+1. Give the new system-assigned identity `AcrPull` access to your private Azure Container Registry.
+1. Restart your container app revision.
+
 ## Limitations
 
 Azure Container Apps has the following limitations:
diff --git a/articles/container-apps/managed-identity.md b/articles/container-apps/managed-identity.md
@@ -5,7 +5,7 @@ services: container-apps
 author: cebundy
 ms.service: container-apps
 ms.topic: how-to
-ms.date: 04/11/2022
+ms.date: 05/11/2022
 ms.author: v-bcatherine
 ---
 
@@ -28,6 +28,7 @@ With managed identities:
 - You can use role-based access control to grant specific permissions to a managed identity.
 - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
 - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
+- You can use managed identity to [authenticate with a private Azure Container Registry](container.md#container-registries) without a username and password to pull containers for your Container App.
 
 ### Common use cases
 
@@ -43,11 +44,7 @@ User-assigned identities are ideal for workloads that:
 
 ## Limitations
 
-The identity is only available within a running container, which means you can't use a managed identity to:
-
-- Pull an image from Azure Container Registry
-- Define scaling rules or Dapr configuration
-  - To access resources that require a connection string or key, such as  storage resources, you'll still need to include the connection string or key in the `secretRef` of the scaling rule.
+The identity is only available within a running container, which means you can't use a managed identity in scaling rules or Dapr configuration.  To access resources that require a connection string or key, such as  storage resources, you'll still need to include the connection string or key in the `secretRef` of the scaling rule.
 
 ## Configure managed identities
 
@@ -268,11 +265,11 @@ A container app with a managed identity exposes the identity endpoint by definin
 - IDENTITY_ENDPOINT - local URL from which your container app can request tokens.
 - IDENTITY_HEADER - a header used to help mitigate server-side request forgery (SSRF) attacks. The value is rotated by the platform.
 
-To get a token for a resource, make an HTTP GET request to this endpoint, including the following parameters:
+To get a token for a resource, make an HTTP GET request to the endpoint, including the following parameters:
 
 | Parameter name    | In     | Description|
 |---------|---------|---------|
-| resource          | Query  | The Azure AD resource URI of the resource for which a token should be obtained. This could be one of the [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI.    |
+| resource          | Query  | The Azure AD resource URI of the resource for which a token should be obtained. The resource could be one of the [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI.    |
 | api-version       | Query  | The version of the token API to be used. Use "2019-08-01" or later. |
 | X-IDENTITY-HEADER | Header | The value of the `IDENTITY_HEADER` environment variable. This header mitigates server-side request forgery (SSRF) attacks. |
 | client_id         | Query  | (Optional) The client ID of the user-assigned identity to be used. Can't be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters  (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used.|
@@ -343,4 +340,4 @@ To remove all identities, set the `type` of the container app's identity to `Non
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Monitor an app](monitor.md)
+> [Monitor an app](monitor.md)
