Pull ACR image from ACI using user managed identity

Question

Hi, I have a ACR with "Networking" and "Admin Credential" as Disabled. Also I have a User Managed Identity with AcrPull role assigned to the ACR.

When I try to create a Container Instance with next command, the ACI start to be created but change to "Pending" until he dies by timeout (30 minutes).

az container create --name my-containergroup --resource-group my-resourcegroup --image mycontainerregistry.azurecr.io/ubuntu-aci:latest --assign-identity $USERID --acr-identity $USERID --os-type linux --dns-name-label mydnslabel01

I´m following the instructions of next MSFT page: https://learn.microsoft.com/en-us/azure/container-instances/using-azure-container-registry-mi?tryIt=true&source=docs#code-try-6

Thanks.

Answer 1

Hello David Aguado Fernandez

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Based on the issue description, looks like you have correctly assigned the AcrPull role to the user managed identity for the ACR.

However, there could be other reasons why the container instance is not getting created and is stuck in the "Pending" state until it times out after 30 minutes.

-One possible reason could be that the ACR is not publicly accessible and is only accessible within a virtual network. In this case, you need to ensure that the ACI is deployed within the same virtual network as the ACR and that the virtual network is properly configured to allow traffic between the ACI and the ACR.

-Another possible reason could be that the user managed identity does not have the necessary permissions to create a container instance. You need to ensure that the user managed identity has the necessary permissions to create a container instance in the specified resource group.

-To troubleshoot the issue further, I would suggest to check the logs for the container instance and the ACI deployment to see if there are any errors or issues that are preventing the container instance from getting created.

I would recommend you try creating a container instance using the Azure portal or Azure CLI to see if you encounter the same issue.

Hope that helps.

Answer 2

Hi, Sorry by the delay.

-One possible reason could be that the ACR is not publicly accessible and is only accessible within a virtual network. In this case, you need to ensure that the ACI is deployed within the same virtual network as the ACR and that the virtual network is properly configured to allow traffic between the ACI and the ACR.

I have verified that from the ACI Subnet I can connect to ACR. Both subnets are in the same Vnet. Also I have added a NSG rule for allow the traffic inbound/outbound by all ports inside the Vnet.

-Another possible reason could be that the user managed identity does not have the necessary permissions to create a container instance. You need to ensure that the user managed identity has the necessary permissions to create a container instance in the specified resource group.

I have checked that the "identity" have AcrPull permission. Also have Contributor permission over the Resource Group.

-To troubleshoot the issue further, I would suggest to check the logs for the container instance and the ACI deployment to see if there are any errors or issues that are preventing the container instance from getting created.

The Azure Portal need to enable the "Admin user" for create a ACI.....

....and with Az CLI die 30 minutes later

Regards.