We have a pretty basic NodeJS Express application that we package in a docker container and publish to an Azure Container Registry using an Azure DevOps build pipeline. This part works fine, but when we run a task to make our App Service use this newly published image we get permission issues.

We are using the following command to activate the image in our App Service in our build pipeline:

            inputs:
              azureSubscription: ${{ variables.service_connection }}
              appName: ${{ variables.app_name }}
              imageName: ${{ variables.container_registry }}/${{ variables.image_name }}:${{ parameters.stack }}

Our build pipeline is also running successfully. But when looking into my App Service it says that my application is unhealthy. When reading the logs it says:

2024-07-17T13:13:53.610Z ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"manifest for mycontainerrepository.azurecr.io/myimagename:my_tag not found: manifest unknown: manifest tagged by "my_tag" is not found"}
2024-07-17T13:13:53.784Z ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Head "https://mycontainerrepository.azurecr.io/v2/myimagename/manifests/my_tag": unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}
2024-07-17T13:13:53.788Z WARN  - Image pull failed. Defaulting to local copy if present.
2024-07-17T13:13:53.792Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)/home/LogFiles/2024_07_17_lw1sdlwk00013M_msi_docker.log  (https://myimagename.scm.azurewebsites.net/api/vfs/LogFiles/2024_07_17_lw1sdlwk00013M_msi_docker.log) 

When looking the documentation from Microsoft we have found this:

The task uses the service principal in the service connection to authenticate with Azure. If the service principal has expired or doesn’t have permissions to the App Service, the task fails with this error. Verify the validity of the service principal used and that it’s present in the app registration. For more information, see Use role-based access control to manage access to your Azure subscription resources. This blog post also contains more information about using service principal authentication.

in this page: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-function-app-container-v1?view=azure-pipelines

It seems to hint that the Service Principle that is used by the Service Connection that our build pipeline is using must have the correct permissions. I have verified that it does have the AcrPull permission on the Azure Container Registry though (which seems to be what the logs are complaining about), it also has the Website Contributor role on the App Service we’re deploying to.

My only way to repair this has been to go into Deployment Center and click “Disconnect” on the Azure Pipeline, and then manually configure that it should use the Azure Container Registry directly as source (the App Service has a managed Identity that has been given the AcrPull permission).

Can someone explain what the suggested way is to allow our Azure DevOps pipeline to deploy the new docker image to our App Service?

UPDATE
After some trial and error it seems the error is happening based on if we have configured Inbound IP restrictions or not. There are no outbound restrictions, but we have configured that only the health probe and some of our internal IPs should be able to access this service. If this restriction is disabled, then the image can suddenly be downloaded and things seems to work. Adding the restrictions again then keeps the service working up until the next time the Azure DevOps Pipeline does a deploy.