Getting a 401 when trying to start a pod using an image from the registry in AKS

Matthieu Patou 0 Reputation points
2023-11-29T20:05:59.6+00:00

I'm trying to deploy a statefulset and I'm getting:

failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://myregistry.azurecr.io/oauth2/token?scope=repository%3Acompany%2Fnginx%3Apull&service=myregistry.azurecr.io: 401 Unauthorized

Followed instructions at https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal checked that AKS and ACR are linked but still no success.

az aks check-acr --name my-aks-cluster --resource-group k8s --acr myregistry
The login server endpoint suffix '.azurecr.io' is automatically appended.
Merged "my-aks-cluster" as current context in /tmp/tmp3u0o8pus
[2023-11-29T18:19:55Z] Checking host name resolution (myregistry.azurecr.io): SUCCEEDED
[2023-11-29T18:19:55Z] Canonical name for ACR (myregistry.azurecr.io): r1101something.westus2.cloudapp.azure.com.
[2023-11-29T18:19:55Z] ACR location: westus2
[2023-11-29T18:19:55Z] Checking managed identity...
[2023-11-29T18:19:55Z] Kubelet managed identity client ID: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
[2023-11-29T18:19:55Z] Validating managed identity existance: SUCCEEDED
[2023-11-29T18:19:55Z] Validating image pull permission: SUCCEEDED
[2023-11-29T18:19:55Z]
Your cluster can pull images from myregistry.azurecr.io!


I'm using AKS with managed identity I haven't specified any user assigned identity.

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
427 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,988 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andriy Bilous 11,176 Reputation points MVP
    2023-11-29T22:11:11.4066667+00:00

    Hello @Matthieu Patou

    I would recommend you to attach an ACR to an existing AKS cluster comparing to the article

    Azure CLICopyOpen Cloudshell

    # Attach using acr-name
    az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>
    
    # Attach using acr-resource-id
    az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-resource-id>
    

    Note

    The az aks update --attach-acr command uses the permissions of the user running the command to create the ACR role assignment. This role is assigned to the kubelet managed identity. For more information on AKS managed identities, see Summary of managed identities.

    https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal