Skip to content

Instantly share code, notes, and snippets.

@ninjarobot

ninjarobot/ACI_in_VNet_with_MSI.json

Last active October 13, 2020 14:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ninjarobot/f88ea57fcc9ab2e12cc989f95a2268d5 to your computer and use it in GitHub Desktop.
Save ninjarobot/f88ea57fcc9ab2e12cc989f95a2268d5 to your computer and use it in GitHub Desktop.
Download ZIP
Creating an Azure container instance in a vnet using managed identity
Raw
ACI_in_VNet_with_MSI.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {},
"resources": [
{
"apiVersion": "2018-11-30",
"dependsOn": [],
"location": "eastus",
"name": "aciUser",
"tags": {},
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
},
{
"apiVersion": "2018-11-01",
"location": "eastus",
"name": "private-vnet",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.30.0.0/16"
]
},
"subnets": [
{
"name": "ContainerSubnet",
"properties": {
"addressPrefix": "10.30.19.0/24",
"delegations": [
{
"name": "Microsoft.ContainerInstance/containerGroups",
"properties": {
"serviceName": "Microsoft.ContainerInstance/containerGroups"
}
}
]
}
}
]
},
"tags": {},
"type": "Microsoft.Network/virtualNetworks"
},
{
"apiVersion": "2020-04-01",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'private-vnet')]"
],
"location": "eastus",
"name": "vnet-aci-profile",
"properties": {
"containerNetworkInterfaceConfigurations": [
{
"name": "eth0",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'ContainerSubnet')]"
}
}
}
]
}
}
]
},
"tags": {},
"type": "Microsoft.Network/networkProfiles"
},
{
"apiVersion": "2018-10-01",
"dependsOn": [
"[resourceId('Microsoft.Network/networkProfiles', 'vnet-aci-profile')]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'aciUser')]"
],
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'aciUser')]": {}
}
},
"location": "eastus",
"name": "myapp-with-msi",
"properties": {
"containers": [
{
"name": "nginx",
"properties": {
"environmentVariables": [],
"image": "nginx:1.17.6-alpine",
"ports": [
{
"port": 80
},
{
"port": 443
},
{
"port": 9090
}
],
"resources": {
"requests": {
"cpu": 1,
"memoryInGB": 0.5
}
},
"volumeMounts": []
}
}
],
"ipAddress": {
"ports": [
{
"port": 80,
"protocol": "TCP"
},
{
"port": 443,
"protocol": "TCP"
}
],
"type": "Private"
},
"networkProfile": {
"id": "[resourceId('Microsoft.Network/networkProfiles', 'vnet-aci-profile')]"
},
"osType": "Linux",
"restartPolicy": "Always",
"volumes": []
},
"tags": {},
"type": "Microsoft.ContainerInstance/containerGroups"
}
]
}
Raw
farmer-aci-vnet-msi.fs
let msi = userAssignedIdentity {
name "aciUser"
}
let privateNetwork = vnet {
name "private-vnet"
add_address_spaces [
"10.30.0.0/16"
]
add_subnets [
subnet {
name "ContainerSubnet"
prefix "10.30.19.0/24"
add_delegations [
SubnetDelegationService.ContainerGroups
]
}
]
}
let aciProfile = networkProfile {
name "vnet-aci-profile"
vnet "private-vnet"
subnet "ContainerSubnet"
}
let group =
containerGroup {
name "myapp-with-msi"
add_instances [ nginx ]
user_assigned_identity msi.Name
private_ip [ TCP, 80us ]
network_profile aciProfile.Name.Value
}
let template = arm {
location Location.EastUS
add_resource msi
add_resource privateNetwork
add_resource aciProfile
add_resource group
}
@ninjarobot
Copy link
Author

After deploying, try to get an MSI token by connecting to the nginx container with /bin/sh and running

apk add curl;
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true -s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment