az containerapp create with yaml & identity?

Question

az containerapp create with yaml & identity?

Zach Howell 85

I'm trying to swap from using `az containerapp create with all args to using the --yaml variant. Are there any good examples of creating an app with an image from a private container registry and/or Dockerfile?

I found this example:

https://techcommunity.microsoft.com/blog/appsonazureblog/deploy-containers-to-azure-container-apps-workload-profiles-using-yaml/3962211

which uses the yaml format, but in general have not found very many resources to setup in this fashion. Some others include:
https://learn.microsoft.com/en-us/azure/container-apps/azure-resource-manager-api-spec?tabs=yaml

& overall documentation at get response docs. However these use hardcoded public images & don't include examples of RegistryCredentials or ManagedServiceIdentity.
From trying to work through this with AI chat, I first got the error:

ERROR: Failed to provision revision for container app 'your-app-name'. Error details: Identity with resource ID 'system' not found for registry your-regsitry.azurecr.io.

& then I tried using UserAssignedIdentity, setting up a custom role with az identity & giving it AcrPull permissions. Then I got error:
Failed to perform resource identity operation.``BadRequest","message":"Resource '/subscriptions/123/resourcegroups/rg123/providers/Microsoft.Managedidentity/Userassignedidentities/Youridentity' was not found."}}'.'

One thing odd about this last error is that my actual identity is youridentity lowercase & this (lowercase) is also how I wrote it in the yaml, but the error message displays with a capital Y.

Anyway, this is all getting rather complicated & it seems like there's something different going on with identity between the az containerapp create command with & without yaml. Does the no yaml route auto setup some identities for you while the yaml route does not? Therefore I'd just love an example tutorial of using a private registry with --yaml.

..why yaml in general? I have a script for creating apps & with yaml I can set some additional parameters which I now need (specifically for me increasing the start time for health checks so a slow image can startup without being killed).

Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T18:36:57.1133333+00:00

Hi @Zach Howell ,

Thanks for reaching out to Microsoft Q&A.

Have you checked the examples available in https://learn.microsoft.com/en-us/cli/azure/containerapp?view=azure-cli-latest&preserve-view=true#az-containerapp-create-examples to create containerapp using --Yaml?
Zach Howell 85 Reputation points

2025-12-16T19:01:11.39+00:00

There is only 1 example which uses yaml on that page & it links to https://learn.microsoft.com/en-us/azure/container-apps/azure-resource-manager-api-spec?tabs=yaml#container-app-examples which I also referenced from my question. So yes, I have checked out that singular example.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T19:25:50.56+00:00

@Zach Howell ,Thanks for the confirmation. I will try this from my end and share the working example.
Zach Howell 85 Reputation points

2025-12-16T19:32:36.2+00:00

Thank you! If I do need to run some az identity commands / setup my own manually it would be great to have those as well. Or at least simply confirmation that yes identity is harder to do when running with yaml than without.

Pravallika KV 3,955 Microsoft External Staff Moderator

@Zach Howell ,

I am able to create the container app with Identity using Yaml file.

identity:
  userAssignedIdentities:
    "/subscriptions/<SubscriptionID>/resourceGroups/RG_Name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/kpuami": {}
  type: UserAssigned
properties:
  configuration:
    ingress:
      external: true
      allowInsecure: false
      targetPort: 80
  template:
    containers:
    - image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest
      name: app
      resources:
          cpu: 0.5
          memory: 1Gi

Command:

az containerapp create -n kpr-containerapp -g "DefaultResourceGroup" --environment kp-env --yaml "containerapps.yml"

Zach Howell 85 Reputation points

2025-12-16T21:53:30.5366667+00:00
Mine looks very similar.. Here's a sampling

identity: userAssignedIdentities: "/subscriptions/my-sub/resourcegroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-id": {} type: UserAssigned properties: configuration: registries: - server: my-registry.azurecr.io

But it gives the BadRequest error with the weird capitalization. I've copy pasted this identity string directly from the output of a az identity list -g my-rg command.
I was generally concerned about the registry section as having not seen that in examples.. but I guess I can't even get this to work without it so maybe I should just focus on that error first.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T21:56:03.7166667+00:00

Could you share the error message here if possible?
Zach Howell 85 Reputation points

2025-12-16T22:00:11.83+00:00

(FailedIdentityOperation) Identity operation for resource '/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.App/containerApps/my-identity-1' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Resource '/subscriptions/123/resourcegroups/my-Rg/providers/Microsoft.Managedidentity/Userassignedidentities/My-Identity-1' was not found."}}'.

While I have swapped out the precise names here the error message change from "my-identity-1" -> "My-Identity-1" does happen in the first vs second sentence.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T22:33:57.86+00:00

Looks like Azure Container Apps cannot find the referenced user-assigned managed identity. This could be due to an incorrect or mismatched resource ID, most commonly a resource group name casing mismatch (ARM resource IDs are case-sensitive), or the identity existing in a different resource group or subscription. It can also happen if the identity was deleted and recreated, leaving the app referencing an old ID.

Verify the managed identity exists, ensure the correct subscription, resource group, and casing, confirm required permissions, and update the Container App to reference the correct identity ID before redeploying.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-17T17:15:44.99+00:00

@Zach Howell , Following up to see if the above provided information was helpful to fix the issue. Please let me know if you are still facing the issue.

Answer accepted by question author

0 additional answers

Your answer

Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T18:36:57.1133333+00:00

Hi @Zach Howell ,

Thanks for reaching out to Microsoft Q&A.

Have you checked the examples available in https://learn.microsoft.com/en-us/cli/azure/containerapp?view=azure-cli-latest&preserve-view=true#az-containerapp-create-examples to create containerapp using --Yaml?
Zach Howell 85 Reputation points

2025-12-16T19:01:11.39+00:00

There is only 1 example which uses yaml on that page & it links to https://learn.microsoft.com/en-us/azure/container-apps/azure-resource-manager-api-spec?tabs=yaml#container-app-examples which I also referenced from my question. So yes, I have checked out that singular example.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T19:25:50.56+00:00

@Zach Howell ,Thanks for the confirmation. I will try this from my end and share the working example.
Zach Howell 85 Reputation points

2025-12-16T19:32:36.2+00:00

Thank you! If I do need to run some az identity commands / setup my own manually it would be great to have those as well. Or at least simply confirmation that yes identity is harder to do when running with yaml than without.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T20:25:31.5066667+00:00

@Zach Howell ,

I am able to create the container app with Identity using Yaml file.

identity: userAssignedIdentities: "/subscriptions/<SubscriptionID>/resourceGroups/RG_Name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/kpuami": {} type: UserAssigned properties: configuration: ingress: external: true allowInsecure: false targetPort: 80 template: containers: - image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest name: app resources: cpu: 0.5 memory: 1Gi

Command:

az containerapp create -n kpr-containerapp -g "DefaultResourceGroup" --environment kp-env --yaml "containerapps.yml"
Zach Howell 85 Reputation points

2025-12-16T21:53:30.5366667+00:00

Mine looks very similar.. Here's a sampling

identity: userAssignedIdentities: "/subscriptions/my-sub/resourcegroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-id": {} type: UserAssigned properties: configuration: registries: - server: my-registry.azurecr.io

But it gives the BadRequest error with the weird capitalization. I've copy pasted this identity string directly from the output of a az identity list -g my-rg command.
I was generally concerned about the registry section as having not seen that in examples.. but I guess I can't even get this to work without it so maybe I should just focus on that error first.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T21:56:03.7166667+00:00

Could you share the error message here if possible?
Zach Howell 85 Reputation points

2025-12-16T22:00:11.83+00:00

(FailedIdentityOperation) Identity operation for resource '/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.App/containerApps/my-identity-1' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{"error":{"code":"BadRequest","message":"Resource '/subscriptions/123/resourcegroups/my-Rg/providers/Microsoft.Managedidentity/Userassignedidentities/My-Identity-1' was not found."}}'.

While I have swapped out the precise names here the error message change from "my-identity-1" -> "My-Identity-1" does happen in the first vs second sentence.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-16T22:33:57.86+00:00

Looks like Azure Container Apps cannot find the referenced user-assigned managed identity. This could be due to an incorrect or mismatched resource ID, most commonly a resource group name casing mismatch (ARM resource IDs are case-sensitive), or the identity existing in a different resource group or subscription. It can also happen if the identity was deleted and recreated, leaving the app referencing an old ID.

Verify the managed identity exists, ensure the correct subscription, resource group, and casing, confirm required permissions, and update the Container App to reference the correct identity ID before redeploying.
Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-17T17:15:44.99+00:00

@Zach Howell , Following up to see if the above provided information was helpful to fix the issue. Please let me know if you are still facing the issue.

Answer 1

Hi @Zach Howell ,

Thanks for the offline conversation.

I am summarizing the discussion and posting as answer.

Upon investigating further, the error occurred when using User Assigned Managed identity with registries in yaml.

As a workaround, followed below steps to achieve the requirement.

Created a Container App using Azure CLI and enabled System Assigned Managed identity in portal.
Navigate to Container registries and assign ACR PULL role to container app's managed identity.

Command:


az role assignment create --assignee <ContainerAppSystemIdentityPrincipalID> --role AcrPull --scope /subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroup>/providers/Microsoft.ContainerRegistry/registries/<ACRName>

Explicitly configured the registries section with the identity: system in the yaml. This tells Azure Container Apps to use the system-assigned managed identity for authenticating to the ACR.


properties:

  configuration:

    ingress:

      external: true

      allowInsecure: false

      targetPort: 80

    registries:

      - server: myregistry.azurecr.io

        identity: system

  template:

    containers:

    - image: mcr.microsoft.com/azuredocs/containerapps-helloworld:latest

      name: app

      resources:

          cpu: 0.5

          memory: 1Gi

Hope it helps!

Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

User's image

If you have any other questions, let me know in the "comments" and I would be happy to help you.

Zach Howell 85 Reputation points

2025-12-17T22:50:23.64+00:00

Thanks for the help Pravallika! Yes, it looks like this is best done as at least two steps:

Create the az containerapp (if done with yaml flag, also create a system assigned identity & give it permissions; if done without yaml this identity will be created automatically).

Update the app with yaml (to do the thing I need to do only by yaml & to set to the right container which I may not have had access to prior to setting up the system identity correctly).

Share via

az containerapp create with yaml & identity?

0 additional answers

Your answer