microsoft
diff --git a/‎src/commands/EXECUTE_PRIORITY.md‎
Lines changed: 3 additions & 1 deletion b/‎src/commands/EXECUTE_PRIORITY.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/commands/deployWorkspaceProject/getDeployWorkspaceProjectResults.ts‎
Lines changed: 2 additions & 2 deletions b/‎src/commands/deployWorkspaceProject/getDeployWorkspaceProjectResults.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/commands/image/deployImageApi/deployImage.ts‎
Lines changed: 0 additions & 2 deletions b/‎src/commands/image/deployImageApi/deployImage.ts‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎src/commands/image/imageSource/ContainerAppUpdateStep.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/commands/image/imageSource/ContainerAppUpdateStep.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/commands/image/imageSource/containerRegistry/acr/RegistryEnableAdminUserStep.ts‎
Lines changed: 0 additions & 34 deletions b/‎src/commands/image/imageSource/containerRegistry/acr/RegistryEnableAdminUserStep.ts‎
Lines changed: 0 additions & 34 deletions
diff --git a/‎src/commands/image/imageSource/containerRegistry/acr/listCredentialsFromRegistry.ts‎
Lines changed: 0 additions & 20 deletions b/‎src/commands/image/imageSource/containerRegistry/acr/listCredentialsFromRegistry.ts‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎src/commands/image/imageSource/containerRegistry/getRegistryCredentialsAndSecrets.ts‎
Lines changed: 0 additions & 66 deletions b/‎src/commands/image/imageSource/containerRegistry/getRegistryCredentialsAndSecrets.ts‎
Lines changed: 0 additions & 66 deletions
diff --git a/‎src/commands/registryCredentials/RegistryCredentialsAddConfigurationListStep.ts‎
Lines changed: 16 additions & 13 deletions b/‎src/commands/registryCredentials/RegistryCredentialsAddConfigurationListStep.ts‎
Lines changed: 16 additions & 13 deletions
diff --git a/‎src/commands/registryCredentials/identity/AcrPullEnableStep.ts‎
Lines changed: 82 additions & 0 deletions b/‎src/commands/registryCredentials/identity/AcrPullEnableStep.ts‎
Lines changed: 82 additions & 0 deletions
@@ -28,7 +28,9 @@ When creating or updating resources, execute steps should occupy certain priorit
 
 #### Steps
 ##### Managed Identity Registry Credential
-- Coming soon...
+- ManagedEnvironmentIdentityEnableStep: 450
+- AcrPullEnableStep: 460
+- ManagedIdentityRegistryCredentialAddConfigurationStep: 470
 
 ##### Admin User Registry Credential
 - AcrEnableAdminUserStep: 450
 
@@ -8,14 +8,14 @@ import { type Workspace } from "@azure/arm-operationalinsights";
 import { uiUtils } from "@microsoft/vscode-azext-azureutils";
 import { createOperationalInsightsManagementClient } from "../../utils/azureClients";
 import type * as api from "../api/vscode-azurecontainerapps.api";
-import { listCredentialsFromRegistry } from "../image/imageSource/containerRegistry/acr/listCredentialsFromRegistry";
+import { listCredentialsFromAcr } from "../registryCredentials/dockerLogin/listCredentialsFromAcr";
 import { type DeployWorkspaceProjectContext } from "./DeployWorkspaceProjectContext";
 
 export type DeployWorkspaceProjectResults = api.DeployWorkspaceProjectResults;
 
 export async function getDeployWorkspaceProjectResults(context: DeployWorkspaceProjectContext): Promise<DeployWorkspaceProjectResults> {
     const registryCredentials: { username: string, password: RegistryPassword } | undefined = context.registry ?
-        await listCredentialsFromRegistry(context, context.registry) : undefined;
+        await listCredentialsFromAcr(context) : undefined;
 
     context.logAnalyticsWorkspace ??= await tryGetLogAnalyticsWorkspace(context);
 
 
@@ -14,7 +14,6 @@ import { showContainerAppNotification } from "../../createContainerApp/showConta
 import { ContainerAppUpdateStep } from "../imageSource/ContainerAppUpdateStep";
 import { ImageSourceListStep } from "../imageSource/ImageSourceListStep";
 import { type ContainerRegistryImageSourceContext } from "../imageSource/containerRegistry/ContainerRegistryImageSourceContext";
-import { RegistryEnableAdminUserStep } from "../imageSource/containerRegistry/acr/RegistryEnableAdminUserStep";
 import { type DeployImageApiContext } from "./deployImageApi";
 
 export async function deployImage(context: IActionContext & Partial<ContainerRegistryImageSourceContext>, node: ContainerAppItem): Promise<void> {
@@ -33,7 +32,6 @@ export async function deployImage(context: IActionContext & Partial<ContainerReg
     wizardContext.telemetry.properties.revisionMode = containerApp.revisionsMode;
 
     const promptSteps: AzureWizardPromptStep<DeployImageApiContext>[] = [
-        new RegistryEnableAdminUserStep(),
         new ImageSourceListStep(),
         new ContainerAppOverwriteConfirmStep(),
     ];
 
@@ -13,7 +13,7 @@ import { type ImageSourceContext } from "./ImageSourceContext";
 import { getContainerNameForImage } from "./containerRegistry/getContainerNameForImage";
 
 export class ContainerAppUpdateStep<T extends ImageSourceContext> extends AzureWizardExecuteStep<T> {
-    public priority: number = 650;
+    public priority: number = 680;
 
     public async execute(context: T, progress: Progress<{ message?: string | undefined; increment?: number | undefined }>): Promise<void> {
         const containerApp: ContainerAppModel = nonNullProp(context, 'containerApp');
 
@@ -10,6 +10,9 @@ import { localize } from "../../utils/localize";
 import { AcrEnableAdminUserConfirmStep } from "./dockerLogin/AcrEnableAdminUserConfirmStep";
 import { AcrEnableAdminUserStep } from "./dockerLogin/AcrEnableAdminUserStep";
 import { DockerLoginRegistryCredentialsAddConfigurationStep } from "./dockerLogin/DockerLoginRegistryCredentialsAddConfigurationStep";
+import { AcrPullEnableStep } from "./identity/AcrPullEnableStep";
+import { ManagedEnvironmentIdentityEnableStep } from "./identity/ManagedEnvironmentIdentityEnableStep";
+import { ManagedIdentityRegistryCredentialAddConfigurationStep } from "./identity/ManagedIdentityRegistryCredentialAddConfigurationStep";
 import { RegistryCredentialsAndSecretsConfigurationStep } from "./RegistryCredentialsAndSecretsConfigurationStep";
 import { type RegistryCredentialsContext } from "./RegistryCredentialsContext";
 
@@ -56,13 +59,13 @@ export class RegistryCredentialsAddConfigurationListStep extends AzureWizardProm
 
         const registryDomain: SupportedRegistries | undefined = this.getRegistryDomain(context);
         switch (context.newRegistryCredentialType) {
-            // case RegistryCredentialType.SystemAssigned:
-            //     executeSteps.push(
-            //         new ManagedEnvironmentIdentityEnableStep(),
-            //         new AcrPullEnableStep(),
-            //         new ManagedIdentityRegistryCredentialAddConfigurationStep(registryDomain),
-            //     );
-            //     break;
+            case RegistryCredentialType.SystemAssigned:
+                executeSteps.push(
+                    new ManagedEnvironmentIdentityEnableStep(),
+                    new AcrPullEnableStep(),
+                    new ManagedIdentityRegistryCredentialAddConfigurationStep(registryDomain),
+                );
+                break;
             case RegistryCredentialType.DockerLogin:
                 promptSteps.push(new AcrEnableAdminUserConfirmStep());
                 executeSteps.push(
@@ -95,12 +98,12 @@ export class RegistryCredentialsAddConfigurationListStep extends AzureWizardProm
         const registryDomain = this.getRegistryDomain(context);
 
         if (registryDomain === acrDomain) {
-            // picks.push({
-            //     label: 'Managed Identity',
-            //     description: '(recommended)',
-            //     detail: localize('systemIdentityDetails', 'Setup "{0}" access for container environment resources via a system-assigned identity', 'acrPull'),
-            //     data: RegistryCredentialType.SystemAssigned,
-            // });
+            picks.push({
+                label: 'Managed Identity',
+                description: '(recommended)',
+                detail: localize('systemIdentityDetails', 'Setup "{0}" access for container environment resources via a system-assigned identity', 'acrPull'),
+                data: RegistryCredentialType.SystemAssigned,
+            });
         }
 
         picks.push({
 
@@ -0,0 +1,82 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { KnownPrincipalType, type AuthorizationManagementClient, type RoleAssignment, type RoleAssignmentCreateParameters } from "@azure/arm-authorization";
+import { uiUtils } from "@microsoft/vscode-azext-azureutils";
+import { AzureWizardExecuteStep, GenericParentTreeItem, GenericTreeItem, activityFailContext, activityFailIcon, activitySuccessContext, activitySuccessIcon, createUniversallyUniqueContextValue, nonNullValueAndProp, type ExecuteActivityOutput } from "@microsoft/vscode-azext-utils";
+import * as crypto from "crypto";
+import { type Progress } from "vscode";
+import { createAuthorizationManagementClient } from "../../../utils/azureClients";
+import { localize } from "../../../utils/localize";
+import { type ManagedIdentityRegistryCredentialsContext } from "./ManagedIdentityRegistryCredentialsContext";
+
+const acrPullRoleId: string = '7f951dda-4ed3-4680-a7ca-43fe172d538d';
+
+export class AcrPullEnableStep extends AzureWizardExecuteStep<ManagedIdentityRegistryCredentialsContext> {
+    public priority: number = 460;
+
+    // Add a configureBeforeExecute
+
+    public async execute(context: ManagedIdentityRegistryCredentialsContext, progress: Progress<{ message?: string | undefined; increment?: number | undefined }>): Promise<void> {
+        const client: AuthorizationManagementClient = await createAuthorizationManagementClient(context);
+        const registryId: string = nonNullValueAndProp(context.registry, 'id');
+        const managedEnvironmentIdentity: string = nonNullValueAndProp(context.managedEnvironment?.identity, 'principalId');
+
+        if (await this.hasAcrPullAssignment(client, registryId, managedEnvironmentIdentity)) {
+            return;
+        }
+
+        const roleCreateParams: RoleAssignmentCreateParameters = {
+            description: 'acr pull',
+            roleDefinitionId: `/providers/Microsoft.Authorization/roleDefinitions/${acrPullRoleId}`,
+            principalId: nonNullValueAndProp(context.managedEnvironment?.identity, 'principalId'),
+            principalType: KnownPrincipalType.ServicePrincipal,
+        };
+
+        progress.report({ message: localize('updatingRegistryCredentials', 'Updating registry credentials...') });
+        await client.roleAssignments.create(
+            nonNullValueAndProp(context.registry, 'id'),
+            crypto.randomUUID(),
+            roleCreateParams,
+        );
+    }
+
+    public shouldExecute(context: ManagedIdentityRegistryCredentialsContext): boolean {
+        return !!context.registry;
+    }
+
+    private async hasAcrPullAssignment(client: AuthorizationManagementClient, registryId: string, managedEnvironmentIdentity: string): Promise<boolean> {
+        const roleAssignments: RoleAssignment[] = await uiUtils.listAllIterator(client.roleAssignments.listForScope(
+            registryId,
+            {
+                // $filter=principalId eq {id}
+                filter: `principalId eq '{${managedEnvironmentIdentity}}'`,
+            }
+        ));
+        return roleAssignments.some(r => !!r.roleDefinitionId?.endsWith(acrPullRoleId));
+    }
+
+    public createSuccessOutput(): ExecuteActivityOutput {
+        return {
+            item: new GenericTreeItem(undefined, {
+                contextValue: createUniversallyUniqueContextValue(['containerRegistryAcrPullEnableStepSuccessItem', activitySuccessContext]),
+                label: localize('enableAcrPull', 'Grant "{0}" access to container environment identity', 'acrPull'),
+                iconPath: activitySuccessIcon
+            }),
+            message: localize('enableAcrPullSuccess', 'Successfully granted "{0}" access to container environment identity.', 'acrPull'),
+        };
+    }
+
+    public createFailOutput(): ExecuteActivityOutput {
+        return {
+            item: new GenericParentTreeItem(undefined, {
+                contextValue: createUniversallyUniqueContextValue(['containerRegistryAcrPullEnableStepFailItem', activityFailContext]),
+                label: localize('enableAcrPull', 'Grant "{0}" access to container environment identity"', 'acrPull'),
+                iconPath: activityFailIcon
+            }),
+            message: localize('enableAcrPullFail', 'Failed to grant "{0}" access to container environment identity.', 'acrPull'),
+        };
+    }
+}