Azure Container App fails to pull image from Azure Container Registry using managed identity

specialsnowflake 61 Reputation points
2023-07-14T12:59:01.85+00:00

I have an Azure Container App that I created that I want to pull it's image from a private Azure Container Registry using a either a system assigned or user assigned identity but the Container App fails to pull the image. I have followed these instructions: https://learn.microsoft.com/en-us/azure/container-apps/managed-identity-image-pull?tabs=azure-cli

I have tried with both a system-assigned or user-assigned managed identity. Each time I try I get an error. Here's the error from using the user assigned identity: "The following field(s) are either invalid or missing. Field 'template.containers.MY-CONTAINER_NAME.image' is invalid with details: 'Invalid value: "MY-ACR.azurecr.io/MY-REPOSITORY:latest": unable to pull image using Managed identity /subscriptions/01234567-0123-4567-89ab-cdef01234567/resourcegroups/MY-RESOURCE-GROUP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MY-USER-ASSIGNED-ID for registry MY-ACR.azurecr.io';

I have both the user assigned identity and the system assigned identity granted the AcrPull role on the Azure Container Registry I am using.

Anyone have other suggestions on what to try next?

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
219 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,504 questions
{count} votes

2 answers

Sort by: Most helpful
  1. SnehaAgrawal-MSFT 17,401 Reputation points Microsoft Employee
    2023-07-27T12:02:55.03+00:00

    @specialsnowflake Apologies for late response here! If deployment fails with Invalid its suggested to ensure the definition ID matches the ID in the built-in roles link.

    If an invalid value is put in, this will be output in the terminal. Review the value for further troubleshooting. Also, Using managed identities in scale rules isn't supported. You'll still need to include the connection string or key in the secretRef of the scaling rule.

    Note that the Init containers can't access managed identities.


  2. Karol Pieciukiewicz 0 Reputation points
    2023-09-08T08:58:28.2166667+00:00
    0 comments No comments