Managed Identities in Azure are a wonderful thing. No passwords to change, no keys to rotate. The biggest shame is that frequently they seem to be implemented as an afterthought.

One example I recently ran into was the use of an App Service Managed Identity to pull a container from Azure Container Registry. While you can configure an App Service to pull from ACR with a Managed Identity, what the documentation doesn’t tell you is that you still need the DOCKER_REGISTRY_SERVER_USERNAME and DOCKER_REGISTRY_SERVER_PASSWORD App Settings to be configured on the App Service. It doesn’t matter what values you put in these, the point is they must exist. If they don’t, the container will fail to pull with a credential error.