Assignment: Permissions and Identity Management
Assignment: Permissions and Identity Management
Objective
This assignment is designed to introduce you to Identity Managament and IAM Roles, covering the setup of a WebApp and a Container Registry (ACR), configuration, and basic management of apps’ identity and roles to connect both services. By the end of this assignment, you will understand how to connect at least two Azure services to allow them to communicate.
Task 1: Deploy a simple WebApp from Docker image
1. Log in to Azure
Navigate to your Azure portal and login.
2. Create a resource group
Name your resource group simpleAppRG
3. Create a WebApp
Go to App Services and create a new Web app. Set the following configurations:
- Choose the same resource group as previously.
- Name your web app:
simple-app. - Publish:
Container. - Operating System: Linux.
- Region: France Central.
- Pricing Plan: Choose Free F1.
Go to the Next step, configure the container:
- Set “Image Source” to
Quickstart(default option). - Click on `Review + create, then “create”.
Question: Wait few minutes then visit the URL of your WebApp, what do you see? Check the logs in the Deployment center to inspect what happened.
4. Create a Container Registry
Look for Container Registries service and create a new Registry.
Use the following configuration:
- Selected the resource group you just created.
- Name the registry:
appsRegistry. - Location: France Central.
- Pricing plan : Standard.
- Click on
Review + createand create your registry.
Question: What’s a container registry?
5. Create a simple app
First, let’s create a simple app. On your computer:
- Create a new directory for your FastAPI app:
mkdir ~/simple-app cd ~/simple-app - Create a file named
main.pywith the following FastAPI code: ```python from fastapi import FastAPI
app = FastAPI()
@app.get(“/”) async def root(): return {“message”: “Hello, Azure!”}
Feel free to update this app! Show me your creativity :)
* Create the ``Dockerfile``. In the `simple-app` directory, create a file named `Dockerfile` with the following content:
```Dockerfile
# Use an official Python runtime as a parent image
FROM python:3.9
# Set the working directory
WORKDIR /app
# Copy the current directory contents into the container at /app
COPY . /app
# Install FastAPI and Uvicorn
RUN pip install fastapi uvicorn
# Make port 8080 available to the world outside this container
EXPOSE 8080
# Run app with Uvicorn on container startup
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]
- Build the Docker image:
docker build -t fastapi-app . - Run the Docker container:
docker run -d -p 8080:8080 fastapi-app - Visit your website at http://localhost:8080.
6. Push the image to the registry
Navigate to your appsRegistry resource. In “Overview”, look for “Get Started” -> “Push an image”. Follow the steps to understand the example. After the step 4, navigate to “Repositories”, what do you see?
Now using the same steps to push your local Docker image to your ACR registry. Push the image to simpleApp repository.
Questions: Why did you have to run az acr login command? What does the step 3 do? What about step 4?
7. Create an Identity for your WebApp
You need to allow your WebApp to pull images from ACR in order to deploy it.
- Navigate to your WebApp. Look for
Identity. - Enable “System Identity”, then click on Save.
Questions:
- What’s a “Service Principal”? How does it work?
- What’s a “Managed Identity”?
- What’s the difference between
System IdentityandUser Identityin “Managed Identity”? - What’s the difference between “Managed Identity” and “Service Principal”?
- When clicking on “Azure role assignments”, what so you see? What does this section list?
8. Assign roles to your WebApp
Your WebApp doesn’t have any role assignment for the moment, so technically, it can’t access anything.
The WebApp needs access to ACR to pull the latest image of the app you pushed and deploy it. Let’s grant it the permission:
- Navigate to your
appRegistryand look for “Access Control (IAM)”. - Look for “Grant access to this resource” and click on “Add role assignment”.
- You should see a list of roles, select
AcrPulland click on Next. - Keep “Assigned access to” to “Managed Identity”, then click on “+ Select memebers”.
- Set “Managed Identity” to “App Service”, then look for your app by its name in the search bar, select it.
- Click on “Review + assign”.
Note: A rule to always have in mind when you use the cloud: always give users and applications the least privileges. It is for security reasons, the less you open your gates the safer it is.
Questions: Go back to your WebApp and check “Azure role assignments” again, what do you see?
9. Make the Webapp deploy the image from the registry
All permissions granted, now make the WebApp deploy the image you just pushed to the registry.
- Go back to yoru WebApp and go to Deployment Center settings.
- Change the “Registry source” to “Azure container Registry”.
- Set “Authentication” to “Managed Identity”.
- Change “Identity” to “System assigned”.
- Set the registry to
appRegistry. - Set the image name to
simpleApp. - Set the version to
latest. - Save the settings of your WebApp.
Wait few minutes and visit the URL of your WebApp, you may need to restrat the app.
Question: What did you understand from this assignment?
Task 2: Deploy your Website using Containers
Use the website you developed in previous assignments to create a Docker image and push it to ACR. Then, deploy the app to a WebApp (as in Task 1).
Try to give a unique name for yoru WebAppp anddeactivate the Unique default hostname (preview) on option (e.g., you can try:
Once deployed, ask your classmate to visit your website!
Troubleshooting:
- Image Pull Errors: Make sure the
az acr logincommand was successful. - Access Denied: Ensure the credentials provided to the web app are correct, and you have assigned the
acrpullrole to the service principal. - Web App Not Starting: Use the Azure Portal to check the web app’s logs for more information or run
az webapp log tailto see real-time logs.