Getting a 401 when trying to start a pod using an image from the registry in AKS

Question

Getting a 401 when trying to start a pod using an image from the registry in AKS

Matthieu Patou 5

I'm trying to deploy a statefulset and I'm getting:

failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://myregistry.azurecr.io/oauth2/token?scope=repository%3Acompany%2Fnginx%3Apull&service=myregistry.azurecr.io: 401 Unauthorized

Followed instructions at https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal checked that AKS and ACR are linked but still no success.

az aks check-acr --name my-aks-cluster --resource-group k8s --acr myregistry
The login server endpoint suffix '.azurecr.io' is automatically appended.
Merged "my-aks-cluster" as current context in /tmp/tmp3u0o8pus
[2023-11-29T18:19:55Z] Checking host name resolution (myregistry.azurecr.io): SUCCEEDED
[2023-11-29T18:19:55Z] Canonical name for ACR (myregistry.azurecr.io): r1101something.westus2.cloudapp.azure.com.
[2023-11-29T18:19:55Z] ACR location: westus2
[2023-11-29T18:19:55Z] Checking managed identity...
[2023-11-29T18:19:55Z] Kubelet managed identity client ID: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
[2023-11-29T18:19:55Z] Validating managed identity existance: SUCCEEDED
[2023-11-29T18:19:55Z] Validating image pull permission: SUCCEEDED
[2023-11-29T18:19:55Z]
Your cluster can pull images from myregistry.azurecr.io!

I'm using AKS with managed identity I haven't specified any user assigned identity.

v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2023-12-01T12:27:26.7933333+00:00

Hi @Matthieu Patou ,

Just checking in to see if you got a chance to see previous response.

If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2023-12-04T10:04:10.92+00:00

Hi @Matthieu Patou ,

Just checking in to see if you got a chance to see previous response.

If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

1 answer

Your answer

v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2023-12-01T12:27:26.7933333+00:00

Hi @Matthieu Patou ,

Just checking in to see if you got a chance to see previous response.

If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2023-12-04T10:04:10.92+00:00

Hi @Matthieu Patou ,

Just checking in to see if you got a chance to see previous response.

If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

Answer 1

Andriy Bilous 11,821 MVP Volunteer Moderator

Hello @Matthieu Patou

I would recommend you to attach an ACR to an existing AKS cluster comparing to the article

Integrate an existing ACR with an existing AKS cluster using the az aks update command with the --attach-acr parameter and a valid value for acr-name or acr-resource-id.

Azure CLICopyOpen Cloudshell

# Attach using acr-name
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

# Attach using acr-resource-id
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-resource-id>

Note

The az aks update --attach-acr command uses the permissions of the user running the command to create the ACR role assignment. This role is assigned to the kubelet managed identity. For more information on AKS managed identities, see Summary of managed identities.

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal

Matthieu Patou 5 Reputation points

2023-12-04T23:07:11.25+00:00

I did that, turns out that there was a spelling error and the image didn't exist, I would have appreciated that ACR was clearer.
v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2023-12-12T04:06:07.82+00:00

Hi @Matthieu Patou ,

As you have tried all possible things from your end and you are still facing the issue, this issue needs deeper investigation and I would recommend you to open a azure support case. Support team will be able to check and help on this.

If you don't have a support plan enabled on your subscription, I request you to send an email to AzCommunity@Microsoft.com with Subject as "Attn:Vikas" referencing this thread along with your subscription ID. I can then enable your subscription with a one-time free technical support.

Once the issue is resolved, request you to post the resolution here for the benefit of community.

Share via

Getting a 401 when trying to start a pod using an image from the registry in AKS

1 answer

Your answer