I have a problem in which I cannot reach my company’s Container registry via Azure Container Instances and Azure Container Apps, which has to do with VNET’s and a private link to the company’s registry, and the fact that dynamically launched containers can’t be linked. Eventually I want to go to Kubernetes as a platform for my batch job workloads, but right now I have to find a quick solution that makes it able to have at least one container running, and maybe manually scale these when necessary (one is probably enough most of the times).

Right now, the way I am aiming to achieve this is by simply launching a VM (and maybe a couple more when necessary) and running a docker container on this VM with the (Python) application code.

Now I’m wondering if, and if yes how, the Docker container can use a (either system/user assigned) managed identity assigned to the VM. When assigned to an ACI container with a user managed identity assigned to it on startup, I could easily just have code like:

default_credential = DefaultAzureCredential()
q_client = QueueClient(
  credential=default_credential,
  queue_name="Queuename",
  accounrt_url="someurl"
)

and be able to access – for instance – this queue. No need to request any kind of token, no need to specify any kind of environment variable.

Now I doubt this will work in a docker container running in a VM with a user identity assigned to it, since the user identity is not really assigned directly to the docker container. Is there any way to still achieve this or is this a fools errand and should I just work with environment variables for now? I don’t really like the idea of the latter, but I haven’t found a way to use managed identities this particular way.