Skip to content

[App Service] Fix container identity ACR pull and Key Vault reference protection#33064

Open
seligj95 wants to merge 5 commits intoAzure:devfrom
seligj95:fix/28858-acr-managed-identity
Open

[App Service] Fix container identity ACR pull and Key Vault reference protection#33064
seligj95 wants to merge 5 commits intoAzure:devfrom
seligj95:fix/28858-acr-managed-identity

Conversation

@seligj95
Copy link
Contributor

@seligj95 seligj95 commented Mar 26, 2026
edited
Loading

Description

This PR consolidates two related fixes for az webapp config container set:

Fix #28858: Managed identity ACR pull support

  • Adds --assign-identity, --role, --scope, --acr-use-identity, and --acr-identity parameters
  • Enables pulling from ACR using managed identity instead of username/password credentials
  • Skips automatic ACR credential lookup when managed identity is configured

Fix #21907: Preserve Key Vault references

  • Reads existing app settings before updating to preserve non-container settings
  • Detects Key Vault references (@Microsoft.KeyVault(...)) in existing registry credentials and skips automatic ACR credential lookup when present
  • Merges only container-specific setting changes into existing settings, preventing data loss

Testing

  • Unit tests added for both features in test_webapp_commands_thru_mock.py
  • All 38 mock tests pass
  • Style checks (pylint + flake8) pass

Known Limitations

  • The deprecated --docker-custom-image-name flag is not compatible with the new --acr-use-identity parameter due to argparse group conflicts. Users should use the current --container-image-name flag instead. This only affects the deprecated code path and is not a regression.

Fixes #28858
Fixes #21907

Previously #33071, consolidated here.

@seligj95
[App Service] Fix Azure#28858: az webapp config container set: Add …
a55b8f4 
…managed identity ACR pull support

Add managed identity support for ACR image pulling in `az webapp config container set`:

- Add --assign-identity, --scope, --role params for identity assignment
- Add --acr-use-identity flag to enable/disable ACR pull via managed identity
- Add --acr-identity param to specify which identity to use for ACR pull
- Update update_container_settings() to call assign_identity() and
  update_site_configs() with ACR identity parameters
- Add unit tests for system identity, user identity, custom role,
  disable identity, and no-identity scenarios
- Update help text with managed identity example

This follows the same patterns used by `az webapp create` for ACR identity
support, using the existing assign_identity() and update_site_configs()
infrastructure.

Fixes Azure#28858

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 26, 2026 13:57
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 26, 2026
edited
Loading

❌AzureCLI-FullTest
🔄acr
🔄latest
🔄3.12
🔄3.13
🔄acs
🔄latest
🔄3.12
🔄3.13
🔄advisor
🔄latest
🔄3.12
🔄3.13
🔄ams
🔄latest
️✔️3.12
🔄3.13
🔄apim
🔄latest
🔄3.12
🔄3.13
🔄appconfig
🔄latest
🔄3.12
🔄3.13
❌appservice
❌latest
❌3.12
Type Test Case Error Message Line
Failed test_functionapp_workloadprofiles self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fa97857fa10>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fa97bfa78c0>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3747: in update_container_settings_functionapp
    return update_container_settings(cmd, resource_group_name, name, registry_server,
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3672: in update_container_settings
    settings = get_app_settings(cmd, resource_group_name, name, slot)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:2846: in get_app_settings
    result = generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'list_application_settings', slot)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/appservice_utils.py:20: in generic_site_operation
    return (operation(resource_group_name, name)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/web/v2024_11_01/operations/web_apps_operations.py:19194: in list_application_settings
    pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/authentication.py:194: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send
    response = self.session.request(  # type: ignore
env/lib/python3.12/site-packages/requests/sessions.py:592: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/sessions.py:706: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/adapters.py:645: in send
    resp = conn.urlopen(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^
                                        

self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml(host='management.azure.com', port=443) at 0x7fa9756d4c20>
 = False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E               No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E               Found 5 similar requests with 0 different matcher(s) :
E               
E               1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :

env/lib/python3.12/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.appservice.tests.latest.test_functionapp_commands.FunctionWorkloadProfile testMethod=test_functionapp_workloadprofiles>
resource_group = 'clitest.rg000001', storage_account = 'clitest000002'

    @AllowLargeResponse()
    @ResourceGroupPreparer(location='northeurope')
    @StorageAccountPreparer()
    def test_functionapp_workloadprofiles(self, resource_group, storage_account):
    
        functionapp_name = self.create_random_name(
            'functionapp', 32)
        managed_environment_name = self.create_random_name(
            'managedenvironment', 40
        )
        workload_profile_name = self.create_random_name(
            'wlp', 15
        )
    
        workload_profile_name_2 = self.create_random_name(
            'wlp', 15
        )
    
        self.cmd('containerapp env create --name {} --resource-group {} --location northeurope --enable-workload-profiles  --logs-destination none'.format(
            managed_environment_name,
            resource_group,
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name_2
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('functionapp create -g {} -n {} -s {} --functions-version 4 --runtime dotnet-isolated --environment {} --workload-profile-name {} --cpu 1.0 --memory 1.0Gi'.format(
            resource_group,
            functionapp_name,
            storage_account,
            managed_environment_name,
            workload_profile_name
        )).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name)
            ])
    
        self.cmd('functionapp show -g {} -n {}'.format(resource_group, functionapp_name)).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name),
        ])
    
>       self.cmd('functionapp config container set -g {} -n {} --workload-profile-name {} --cpu 0.75 --memory 2.0Gi'.format(
            resource_group,
            functionapp_name,
            workload_profile_name_2
        ))

src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:581: 
                                        
src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
                                        

self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fa97857fa10>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fa97bfa78c0>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()
    
        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E           No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E           Found 5 similar requests with 0 different matcher(s) :
E           
E           1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError		 azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:518
Failed test_functionapp_enable_dapr The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:673
Failed test_functionapp_container_config_set_replicas The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:1851
Failed test_linux_webapp_quick_create The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:188
Failed test_linux_webapp_multicontainer_slot The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:1382
Failed test_container_webapp_docker_image_name The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:2434
❌3.13
Type Test Case Error Message Line
Failed test_functionapp_workloadprofiles self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fa35ea59910>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fa364d02d50>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3747: in update_container_settings_functionapp
    return update_container_settings(cmd, resource_group_name, name, registry_server,
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3672: in update_container_settings
    settings = get_app_settings(cmd, resource_group_name, name, slot)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:2846: in get_app_settings
    result = generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'list_application_settings', slot)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/appservice_utils.py:20: in generic_site_operation
    return (operation(resource_group_name, name)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/web/v2024_11_01/operations/web_apps_operations.py:19194: in list_application_settings
    pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/authentication.py:194: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send
    response = self.session.request(  # type: ignore
env/lib/python3.13/site-packages/requests/sessions.py:592: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/sessions.py:706: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/adapters.py:645: in send
    resp = conn.urlopen(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^
                                        

self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml(host='management.azure.com', port=443) at 0x7fa36155b930>
 = False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E               No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E               Found 5 similar requests with 0 different matcher(s) :
E               
E               1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :

env/lib/python3.13/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.appservice.tests.latest.test_functionapp_commands.FunctionWorkloadProfile testMethod=test_functionapp_workloadprofiles>
resource_group = 'clitest.rg000001', storage_account = 'clitest000002'

    @AllowLargeResponse()
    @ResourceGroupPreparer(location='northeurope')
    @StorageAccountPreparer()
    def test_functionapp_workloadprofiles(self, resource_group, storage_account):
    
        functionapp_name = self.create_random_name(
            'functionapp', 32)
        managed_environment_name = self.create_random_name(
            'managedenvironment', 40
        )
        workload_profile_name = self.create_random_name(
            'wlp', 15
        )
    
        workload_profile_name_2 = self.create_random_name(
            'wlp', 15
        )
    
        self.cmd('containerapp env create --name {} --resource-group {} --location northeurope --enable-workload-profiles  --logs-destination none'.format(
            managed_environment_name,
            resource_group,
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name_2
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('functionapp create -g {} -n {} -s {} --functions-version 4 --runtime dotnet-isolated --environment {} --workload-profile-name {} --cpu 1.0 --memory 1.0Gi'.format(
            resource_group,
            functionapp_name,
            storage_account,
            managed_environment_name,
            workload_profile_name
        )).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name)
            ])
    
        self.cmd('functionapp show -g {} -n {}'.format(resource_group, functionapp_name)).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name),
        ])
    
>       self.cmd('functionapp config container set -g {} -n {} --workload-profile-name {} --cpu 0.75 --memory 2.0Gi'.format(
            resource_group,
            functionapp_name,
            workload_profile_name_2
        ))

src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:581: 
                                        
src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
                                        

self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fa35ea59910>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fa364d02d50>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()
    
        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E           No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E           Found 5 similar requests with 0 different matcher(s) :
E           
E           1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError		 azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:518
Failed test_functionapp_enable_dapr The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:673
Failed test_functionapp_container_config_set_replicas The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:1851
Failed test_linux_webapp_quick_create The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:188
Failed test_linux_webapp_multicontainer_slot The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:1382
Failed test_container_webapp_docker_image_name The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:2434
🔄aro
🔄latest
🔄3.12
🔄3.13
🔄backup
🔄latest
🔄3.12
🔄3.13
🔄batch
🔄latest
️✔️3.12
🔄3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
🔄billing
🔄latest
🔄3.12
🔄3.13
🔄botservice
🔄latest
️✔️3.12
🔄3.13
🔄cdn
🔄latest
🔄3.12
🔄3.13
🔄cloud
🔄latest
🔄3.12
🔄3.13
🔄cognitiveservices
🔄latest
🔄3.12
🔄3.13
🔄compute_recommender
🔄latest
️✔️3.12
🔄3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
🔄configure
🔄latest
🔄3.12
🔄3.13
🔄consumption
🔄latest
🔄3.12
🔄3.13
🔄container
🔄latest
️✔️3.12
🔄3.13
🔄containerapp
🔄latest
🔄3.12
🔄3.13
🔄core
🔄latest
🔄3.12
🔄3.13
🔄cosmosdb
🔄latest
🔄3.12
🔄3.13
🔄databoxedge
🔄latest
🔄3.12
🔄3.13
🔄dls
🔄latest
🔄3.12
🔄3.13
🔄dms
🔄latest
🔄3.12
🔄3.13
🔄eventgrid
🔄latest
🔄3.12
🔄3.13
🔄eventhubs
🔄latest
🔄3.12
🔄3.13
🔄feedback
🔄latest
️✔️3.12
🔄3.13
🔄find
🔄latest
🔄3.12
🔄3.13
🔄hdinsight
🔄latest
🔄3.12
🔄3.13
🔄identity
🔄latest
🔄3.12
🔄3.13
🔄iot
🔄latest
🔄3.12
🔄3.13
🔄keyvault
🔄latest
️✔️3.12
🔄3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
🔄managedservices
🔄latest
️✔️3.12
🔄3.13
🔄maps
🔄latest
🔄3.12
🔄3.13
🔄marketplaceordering
🔄latest
🔄3.12
🔄3.13
🔄monitor
🔄latest
🔄3.12
🔄3.13
🔄mysql
🔄latest
🔄3.12
🔄3.13
🔄netappfiles
🔄latest
🔄3.12
🔄3.13
🔄network
🔄latest
🔄3.12
🔄3.13
🔄policyinsights
🔄latest
🔄3.12
🔄3.13
🔄postgresql
🔄latest
🔄3.12
🔄3.13
🔄privatedns
🔄latest
🔄3.12
🔄3.13
🔄profile
🔄latest
🔄3.12
🔄3.13
🔄rdbms
🔄latest
🔄3.12
🔄3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
🔄relay
🔄latest
🔄3.12
🔄3.13
🔄resource
🔄latest
🔄3.12
🔄3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
🔄search
🔄latest
🔄3.12
🔄3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
🔄servicebus
🔄latest
🔄3.12
🔄3.13
🔄serviceconnector
🔄latest
️✔️3.12
🔄3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
🔄signalr
🔄latest
🔄3.12
🔄3.13
🔄sql
🔄latest
🔄3.12
🔄3.13
🔄sqlvm
🔄latest
🔄3.12
🔄3.13
🔄storage
🔄latest
🔄3.12
🔄3.13
🔄synapse
🔄latest
🔄3.12
🔄3.13
🔄telemetry
🔄latest
🔄3.12
🔄3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
🔄vm
🔄latest
🔄3.12
🔄3.13

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 26, 2026

Hi @seligj95,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 26, 2026
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️appservice
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd webapp config container set cmd webapp config container set added parameter acr_identity
⚠️ 1006 - ParaAdd webapp config container set cmd webapp config container set added parameter acr_use_identity
⚠️ 1006 - ParaAdd webapp config container set cmd webapp config container set added parameter assign_identities
⚠️ 1006 - ParaAdd webapp config container set cmd webapp config container set added parameter role
⚠️ 1006 - ParaAdd webapp config container set cmd webapp config container set added parameter scope

@yonzhan
Copy link
Collaborator

yonzhan commented Mar 26, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Mar 26, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Mar 26, 2026
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds managed identity support for pulling container images from Azure Container Registry (ACR) when running az webapp config container set, aligning container-update behavior with existing managed-identity ACR pull support elsewhere in App Service.

Changes:

  • Adds new CLI parameters to webapp config container set for assigning managed identities and controlling ACR pull via managed identity (--assign-identity, --scope, --role, --acr-use-identity, --acr-identity).
  • Extends update_container_settings to optionally assign identities and update site config ACR identity settings.
  • Adds help example and new mock-based unit tests for the identity-enabled flows.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/azure-cli/azure/cli/command_modules/appservice/custom.py Extends update_container_settings to optionally assign identities and set ACR MI site-config flags/identity.
src/azure-cli/azure/cli/command_modules/appservice/_params.py Wires new arguments into webapp config container set.
src/azure-cli/azure/cli/command_modules/appservice/_help.py Adds a managed-identity ACR pull example for webapp config container set.
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands_thru_mock.py Adds unit tests validating identity-related calls made by update_container_settings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@seligj95
Address review: skip ACR cred lookup when using managed identity
a690954 
- Short-circuit _get_acr_cred when acr_use_identity is set to avoid
  persisting admin credentials that defeat MI-based pulls
- Add regression test asserting _get_acr_cred is not called in MI flow

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@yonzhan yonzhan assigned yanzhudd and unassigned zhoxing-ms Mar 26, 2026
@seligj95
[App Service] Fix Azure#21907: az webapp config container set: pres…
814f3ef 
…erve Key Vault references

When running `az webapp config container set`, existing app settings
containing Key Vault references (e.g., @Microsoft.KeyVault(...)) were
being overwritten. This happened because:

1. ACR credential auto-detection replaced KV-ref credentials with raw
   values when a .azurecr.io URL was provided without explicit
   username/password.
2. The settings update used a read-modify-write cycle through
   update_app_settings that could interfere with non-container settings.

This fix:
- Adds _is_key_vault_reference() helper to detect KV reference values.
- Skips ACR credential auto-detection when existing username/password
  settings are Key Vault references.
- Merges only container-specific keys directly into the existing
  properties dict, preserving all other app settings as-is.
- Adds unit tests verifying KV references survive container set
  operations.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@seligj95 seligj95 changed the title [App Service] Fix #28858: az webapp config container set: Add managed identity ACR pull support [App Service] Fix #28858, #21907: managed identity ACR pull and Key Vault reference protection Mar 26, 2026
@seligj95 seligj95 mentioned this pull request Mar 26, 2026
Closed
@seligj95
Address review: early-return ACR cred skip, consolidate site-config c…
38a88a5 
…alls, strengthen test assertions

- When acr_use_identity is set, short-circuit credential lookup entirely
  (explicit early branch instead of relying on compound condition)
- Accumulate all site-config changes (multicontainer, replicas, ACR identity)
  into a single update_site_configs call to reduce latency and failure surface
- Add _get_acr_cred mock to all MI tests and assert it is never called
- Add update_site_configs value assertions to custom-role test

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@seligj95 seligj95 changed the title [App Service] Fix #28858, #21907: managed identity ACR pull and Key Vault reference protection [App Service] Fix container identity ACR pull and Key Vault reference protection Mar 26, 2026
@seligj95
Fix pylint too-many-branches and flake8 E128 indent
1e1d6d7 
Extract _build_container_updates helper to reduce branch count in
update_container_settings from 22 to 18 (max 20). Fix continuation
line indentation for visual alignment.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto is a code owner

@northtyphoon northtyphoon Awaiting requested review from northtyphoon

@terencet-dev terencet-dev Awaiting requested review from terencet-dev

@jsntcy jsntcy Awaiting requested review from jsntcy

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@yonzhan yonzhan Awaiting requested review from yonzhan

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

At least 1 approving review is required to merge this pull request.

Assignees

@yanzhudd yanzhudd

Labels

act-observability-squad Auto-Assign Auto assign by bot Web Apps az webapp

Projects

None yet

Milestone

May 2026 (2026-05-05)

Development

Successfully merging this pull request may close these issues.

Support Managed Identity for Image ACR pulling in App Service image update command webapp config container set overwrites DOCKER_* app settings

5 participants

@seligj95 @yonzhan @zhoxing-ms @yanzhudd