Unable to use a image from ACR in azure container app.

Question

Unable to use a image from ACR in azure container app.

Dhariwal, Jaanvi 20

While using image from azure container registry in the container apps which we are deploying using modules approach in terraform, I am unable to use that image and this error pops up and I have also logged in through admin credentials in ACR then also this issue persists.

Screenshot 2023-07-18 175723

Error -->

RESPONSE 400: 400 Bad Request

│ ERROR CODE: InvalidParameterValueInContainerTemplate

│ --------------------------------------------------------------------------------

│ {

│ "error": {

│ "code": "InvalidParameterValueInContainerTemplate",

│ "message": "The following field(s) are either invalid or missing. Field 'template.containers.webapp.image' is invalid with details: 'Invalid value: "jdacrdj.azurecr.io/optinexusapp:1": GET https:?scope=repository%3Aoptinexusapp%3Apull&service=jdacrdj.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.

VenkateshDodda-MSFT 25,251 Reputation points Microsoft Employee Moderator

2023-07-19T08:04:24.95+00:00

@Dhariwal, Jaanvi Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

Based on the shared information, I understand that you are using the azurerm resource provider to create the container app. if yes, as per the hashicorp registry documentation under template it should be container instead of containers.

Could you please retry the deployment by allowing the public access to the ACR and check whether you are facing any issue.

If you are still facing the issue, please do help us with the complete terraform template (excluding PII information) that you are using to deploy container app to check and assist further on this.
VenkateshDodda-MSFT 25,251 Reputation points Microsoft Employee Moderator

2023-07-20T07:40:06.36+00:00

Hello @Dhariwal, Jaanvi ,

Following up to see if you have a chance to check my previous response and helped. Do let us know if you have any further questions on this.
Karol Pieciukiewicz 15 Reputation points MVP

2023-09-07T19:09:48.31+00:00

@VenkateshDodda-MSFT I have the same issue.

I have publicly exposed ACR, authorization using Managed Identity. The Terraform user has ACR Pull Permission, the same for Container App Managed Identity.

When I use Terraform I get the same result as [Dhariwal, Jaanvi]. The same operation done from the portal works fine.

If the same terraform script I run with image "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest" works fine.

It looks like the issue is with the Terraform provider, while authorization is required. I use hashicorp/azurerm with 3.71.

I can send more details if needed.

1 answer

Your answer

VenkateshDodda-MSFT 25,251 Reputation points Microsoft Employee Moderator

2023-07-19T08:04:24.95+00:00

@Dhariwal, Jaanvi Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

Based on the shared information, I understand that you are using the azurerm resource provider to create the container app. if yes, as per the hashicorp registry documentation under template it should be container instead of containers.

Could you please retry the deployment by allowing the public access to the ACR and check whether you are facing any issue.

If you are still facing the issue, please do help us with the complete terraform template (excluding PII information) that you are using to deploy container app to check and assist further on this.
VenkateshDodda-MSFT 25,251 Reputation points Microsoft Employee Moderator

2023-07-20T07:40:06.36+00:00

Hello @Dhariwal, Jaanvi ,

Following up to see if you have a chance to check my previous response and helped. Do let us know if you have any further questions on this.
Karol Pieciukiewicz 15 Reputation points MVP

2023-09-07T19:09:48.31+00:00

@VenkateshDodda-MSFT I have the same issue.

I have publicly exposed ACR, authorization using Managed Identity. The Terraform user has ACR Pull Permission, the same for Container App Managed Identity.

When I use Terraform I get the same result as [Dhariwal, Jaanvi]. The same operation done from the portal works fine.

If the same terraform script I run with image "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest" works fine.

It looks like the issue is with the Terraform provider, while authorization is required. I use hashicorp/azurerm with 3.71.

I can send more details if needed.

Answer 1

I've found the solution to this issue. To do so, there must be set "User Assigned Identity", and configured repository access, see code below:

resource "azurerm_container_app" "sampleapi" {
  name                         = "${local.prefix}-app"
  container_app_environment_id = azurerm_container_app_environment.app_env.id
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Single"

  identity {
    type = "SystemAssigned, UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.ca_identity.id ]
  }

  registry {
    identity = azurerm_user_assigned_identity.ca_identity.id
    server   = container_registry_host_name
  }

  ...
}

container_registry_host_name - {yourACRname}.azurecr.io

Need to set AcrPull for this User Assigned Identity

resource "azurerm_role_assignment" "acrpull_mi" {
  scope                = module.container_registry.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_user_assigned_identity.ca_identity.principal_id
}

Using this setup I can download image from my Azure Container Registry using User Assigned Identity. Cheers!

Share via

Unable to use a image from ACR in azure container app.

1 answer

Your answer