使用KeyVault(Terraform)从ACR提取图像时,Azure App Service错误

时间:2019-06-17 17:44:09

标签: azure azure-web-sites terraform azure-keyvault

我正在尝试将图像从ACR拉到Azure应用服务。我已经将ACR的凭据存储在Key Vault中。我在App Service Terraform配置中使用Key Vault生成的端点。我的TF脚本看起来像这样

  module "my-ui-service-temp" {
  source                   = "app-service-noconn"
  location                 = "${local.location}"
  name                     = "webapp-temp"
  resource_group_name      = "${module.create-resource-group.name}"
  app_service_plan_id      = "${module.create-app-service-plan.id}"
  app_service_plan_name    = "${module.create-app-service-plan.name}"
  namespace                = "${local.namespace}-temp"
  dotnetframework_version  = "v4.0"
  java_version = "1.8"
  process_32bitworker      = "true"
  websockets_enabled       = "true"
  remote_debugging_enabled = "true"
  local_mysql_enabled      = "true"
  php_version              = "5.5"
  remote_debugging_version = "VS2017"
  tls_version              = "1.2"
  linuxfx_version          = "DOCKER|myregistry.azurecr.io/my-webapp:latest"
  //cors_allowed_origins = "*"

  //ip_address_restriction = "10.198.54.79"

  #ip_address_restriction = "198.203.177.177"
  default_documents      = [ "Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]

  http2_enabled = "false"
  scm_type      = "none"
  subnet_mask   = "255.255.255.255"

  app_settings {
    "DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
    "DOCKER_REGISTRY_SERVER_USERNAME" = "https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted"
  }

}

这是我遇到的错误

  

2019-06-17 16:06:20.651错误-拉docker映像   Registry.azurecr.io/myApp-webapp:latest失败:2019-06-17   16:06:20.651信息-从Docker集线器提取图像:   Registry.azurecr.io/myApp-webapp:最新2019-06-17 16:06:20.676错误   -DockerApiException:Docker API响应后返回状态代码= InternalServerError,响应= {“ message”:“ Get   https://registry.azurecr.io/v2/myApp-webapp/manifests/latest:   未经授权:需要验证”}

     

2019-06-17 16:06:20.687错误-图像拉取失败:验证Docker图像   配置和凭据(如果使用私有存储库)

如果我在没有KeyVault的情况下直接传递了我的ACR凭据,则可以拉出图像并构建它而没有任何问题。我认为这与密钥保管库访问策略有关。

但是,错误消息显示-Docker API响应,状态代码为= InternalServerError,响应= {“ message”:“获取https://registry.azurecr.io/v2/myApp-webapp/manifests/latest:未经授权:需要身份验证”},这很困扰我!

我正在通过Keyvault传递身份验证详细信息,但是App Service无法进行身份验证。

2 个答案:

答案 0 :(得分:1)

修复了它。而不是传递@ Microsoft.keyvault(SecretUri =“”)。

我用过

data "azurerm_key_vault_secret" "myacrServer" { 
name = "myApp-acr-server-az" 
vault_uri = "myApp-kv-az-acr.vault.azure.net" 
}

然后在Web应用服务的app_settings中,传递该数据秘密值。

app_settings { 
"DOCKER_REGISTRY_SERVER_USERNAME" = "${data.azurerm_key_vault_secret.myacrusname.value}" 
}

答案 1 :(得分:0)

如果要使用对密钥库的引用,则可以使用official way进行此操作。所以看起来像这样:

0x02
相关问题
最新问题