0

We are working on using deployment scripts on a private network and need to use a custom container image. The image is stored in a private registry, and we would like to pull additional modules or dependencies from JFrog Artifactory (or another private registry) during the execution of the script. Is that even possible? Has someone come across such a situation?

Following the guide - Run Bicep deployment script privately over a private endpoint

Is it possible to configure the ACI to:

1. Pull a custom image from a private container registry.
2. Pull additional modules or dependencies from JFrog Artifactory (or any private registry) within the container?

If so, could you provide guidance on how to authenticate the container instance to access the JFrog Artifactory registry or another private registry, and how to configure the image to pull the required modules during execution?

Additional Information:

  1. We are using deployment scripts in Azure + using bicep.
  2. We need to ensure that the custom image can pull modules from private registries like JFrog or similar.
  3. If possible, please provide the steps to authenticate and configure the container instance to interact with private registries.

Thank you for any help or guidance!

Example code

resource mngId 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
  name: 'xxxx'
  scope: resourceGroup(subId,usmiRG) //if MI in different RG than template deployment target RG
}

resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' existing = {
  name: vnetName
  scope: resourceGroup(subId, vnetRg)
}

resource containerInstanceSubnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' existing = {
  name: subnetName
  parent: vnet
}

resource Script 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
  name: 'scriptTestsi'
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${mngId.id}': {}
    }
  }
  properties: {
    azPowerShellVersion: '5.0'
    scriptContent: '''
Param([string] $StorageAccountName)
Connect-AzAccount -Identity
$DeploymentScriptOutputs["output"] = New-AzStorageContext -UseConnectedAccount -StorageAccountName $StorageAccountName `
    | Get-AzStorageBlob -Container 'images' -Blob * | Out-String
'''
    arguments: '-StorageAccountName ${storageAccountName}'
    cleanupPreference: 'OnSuccess' //when to cleanup the storage account and ACI instance or OnExpiration, Always
    retentionInterval: 'PT4H' //keep the deployment script resource for this duration (ISO 8601 format) and ACI/SA if OnExpiration cleanuppreference
    forceUpdateTag: currentTime // ensures script runs every time
    storageAccountSettings: {
      storageAccountName: storageAccountName
      storageAccountKey: listKeys(resourceId('Microsoft.Storage/storageAccounts', storageAccountName), '2019-06-01').keys[0].value
    }
    containerSettings: {
      containerGroupName: 'mycustomaci-1'
      subnetIds: [
        {
          id: containerInstanceSubnet.id
        }
      ]
    }
  }
}


output scriptOutput string = Script.properties.outputs.output
//output scriptLogs string = reference('${dScript.id}/logs/default', dScript.apiVersion, 'Full').properties.log
Improve this question
3
  • Hi, could you explain what are you trying to achieve by pulling images from the deployment script => what's the end goal? Sounds more like a task for a private build agent ? Commented Feb 28 at 19:16
  • Rephrasing it, A Bicep deployment script runs within an Azure Container Instance, which pulls an image from the Microsoft Registry. The documentation states: "The ACI downloads container images from the Microsoft Container Registry. If you use a firewall, allowlist the URL mcr.microsoft.com to download the image." I would like to know if it's possible to use mw own image instead of the default one pulled from the MCR. My goal is to use an image that allows me to pull modules from JFrog or a private registry from the deployment script. Our organization doesn't want to use public images. Commented Mar 2 at 15:22
  • You mean you don't wan to use Azure Container Instance image to run you script or you wanna pull other images to do something else? Commented Mar 2 at 22:33
Related questions
1
Azure Purview Ingestion Private Endpoint Creation using Bicep
1
How to deploy Azure Container Instance to VNET using Azure CLI
1
Issue with bicep template for subnet
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.