Fails to pull images from Azure Container Registry by using Managed Identity authentication
This article discusses how to troubleshoot image pull failures when you deploy to Azure Container Instances (ACI) from Azure Container Registry (ACR) by using a managed identity.
Symptoms
When you try to deploy a container group and pull images from an Azure container registry that runs behind a private endpoint by using a managed identity, the image pull fails.
Cause
Here are some causes of image pull failures:
From the ACI side:
- Based on the ACI API version used when deploying the container group, the credential format provided in the container group ARM template might be invalid.
- Using a managed identity in the container group might violate ACI limitations.
- The container group definition in the ARM template might be malformed.
From the ACR side:
- You might be using an earlier API version.
- You might be using a private DNS zone for the container registry.
Troubleshooting from the ACI side
Check if you're using an ACI API version earlier than 2021-07-01.
If so, you might see the "InvalidImageRegistryCredentialType" error:
$ az deployment group create -g <resourcegroupname> --template-file containergroup_trusted.json Deployment failed. Correlation ID: <Correlation ID>. { "error": { "code": "InvalidImageRegistryCredentialType", "message": "Identity in 'imageRegistryCredentials' of container group 'acrtestcontainergroup' is not supported." } }To resolve this issue, use ACI API version 2021-07-01 or later.
Check if you're violating any ACI limitations.
Limitations include:
- Virtual network injected container groups.
- Windows Server 2016 container groups.
- Attempting to resolve ACR's private DNS zone.
To resolve this issue, ensure that you don't violate those limitations.
Check if the container group definition is correctly formed.
If not, you might see the following errors:
Error code "AmbiguousImageResitryCredentialType":
Deployment failed. Correlation ID: <Correlation ID>. { "error": { "code": "AmbiguousImageResitryCredentialType", "message": "The registry credential type in the 'imageRegistryCredentials' of container group 'acrtestcontainergroup' cannot be detected. Please set exactly one of username or identity" } }Error code "InvalidImageRegistryIdentity":
Deployment failed. Correlation ID: <Correlation ID>. { "error": { "code": "InvalidImageRegistryIdentity", "message": "The identity in the 'imageRegistryCredentials' of container group 'acrtestcontainergroup' not found in container group identity list." } }Error code "InvalidRequestContent":
Deployment failed. Correlation ID: <Correlation ID>. { "error": { "code": "InvalidRequestContent", "message": "The request content was invalid and could not be deserialized: 'Required property 'server' not found in JSON. Path 'properties.imageRegistryCredentials[0]', line 1, position 586.'." } }
To resolve this issue, you must provide the following properties in the ARM template:
- The
serverandidentityproperties of ImageRegistryCredential. - The
typeanduserAssignedIdentityproperties of ContainerGroupIdentity.
Troubleshooting from the ACR side
Check if the managed identity has the
AcrPullrole assigned.If not, you might see the "InaccessibleImage" error:
Deployment failed. Correlation ID: <Correlation ID>. { "error": { "code": "InaccessibleImage", "message": "The image 'myacr.azurecr.io/pythonworker:v1' in container group 'acrtestcontainergroup' is not accessible. Please check the image and registry credential." } }To resolve this issue, grant the
AcrPullrole to the managed identity. For more information, see Grant the identity permissions to access other Azure resources.Check if ACR has trusted services enabled. If not, enable trusted services.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.