英文:
Azure Container Registry Webhook to App Service 401
问题
我有一个 Azure 应用服务,它在启动时从 Azure 容器注册表(ACR)中拉取容器镜像。我试图让 ACR Webhook 通知应用服务新的容器可用并自动重启。然而,在 ADO 流水线中 Webhook 运行正常,但我却收到了 "401 未经授权" 错误。
从应用服务中,我已经打开了 "持续部署" 并将 Webhook URL 复制到 ACR Webhook 的服务 URI 中:
应用服务在容器注册表上具有 "AcrPull" 权限:
甚至在此配置下运行 Webhook 上的 Ping 也会导致 401 错误:
我漏掉了什么?我在 Microsoft 文档中没有看到任何特别的步骤。
英文:
I have an Azure App Service that pulls a container image from an Azure Container Registry (ACR) when the App Service starts. I'm trying to have an ACR Webhook notify the App Service that a new container is available and to restart automatically. However, while the Webhook runs fine from an ADO pipeline, I get a "401 Unauthorized" error.
From the App Service, I've turned on "Continuous Deployment" and copied the Webhook URL to the Service URI in the ACR Webhook:
The App Service has "AcrPull" permissions on the Container Registry:
Even running a Ping on the Webhook results in a 401 with this configuration:
What am I missing? I don't see anything in particular that I've skipped in the Microsoft documentation.
答案1
得分: 2
Azure Container Registry Webhook to App Service 401:
需要检查以下内容:
验证您被添加的权限(用户或服务主体),即使您已为通过应用服务获取注册表提供了适当的权限。
因为要能够从ACR中拉取,您必须为"托管标识或服务主体"分配AcrPull角色。
有时ACR Webhook没有授权访问应用服务。要解决此问题,请将ACR Webhook的IP地址添加到应用服务的IP限制中。
在某些情况下,应用服务可能未设置为使用适当的身份验证方法。检查应用服务设置中的身份验证。
如果问题仍然存在,请尝试使用管理员凭据进行身份验证,如下所示。
检查应用服务和容器注册表是否存在任何防火墙或IP限制。
如果上述方法都没有帮助,请访问应用服务中的部署选项下的部署中心日志来检查日志。
我在我的环境中尝试了相同的操作,使用下面添加的权限和在Azure AD中注册的应用程序,它按如下方式工作。
如果问题仍未解决,可能需要使用ACR任务功能或开发使用Azure事件网格和Azure函数的自定义解决方案。
英文:
> Azure Container Registry Webhook to App Service 401:
Need to check below:
Verify the permissions for which you are added (User or a service principal), even if you provided the appropriate permissions for fetching the registry through App service.
Because to be able to pull from ACR, you must assign the AcrPull role to a "Managed Identity or Service Principal".
Sometimes the ACR webhook does not have authorization to access App service. To resolve this, add the ACR Webhook IP address to the App Service's IP Restrictions.
In few scenarios, App Service may not set up to use the proper authentication method. Check the authentication in the App Service's Authentication in settings.
If still the issue persists, try to authenticate with the admin credentials as shown.
Check whether any firewall or Ip restrictions are existed for the App service as well as container registries.
If none of the above helps, check the logs by visiting into logs of the deployment center under deployment option in an app service.
I tried the same in my environment with the below added permissions and a registered app in Azure AD and it worked as follows.
Other solutions like ACR Tasks feature or developing a custom solution with Azure Event Grid and Azure Functions, may be required if it is not resolved.
答案2
得分: 0
确保已启用应用服务的“基本身份验证发布凭据”。由于 Webhook 使用基本身份验证进行身份验证,因此需要启用此设置才能正常工作。一旦启用了此设置,Webhook 就会按预期工作。
英文:
Posted this answer to a similar question, posting it here as well for visibility.
Make sure the "Basic Auth Publishing Credentials" is enabled for the App Service. Since the webhook uses basic auth for authentication, this needs to be enabled for it to work. Once we enabled this setting, the webhook started to work as expected.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论