Azure App Service Fails with ImagePullFailure When Pulling Docker Image from ACR (statusworker)"

Question

I'm encountering an ImagePullFailure error with my Azure App Service (Buraq-status-worker) when attempting to pull a Docker image (statusworker.azurecr.io/buraqworker:782) from an Azure Container Registry (ACR) named statusworker. The image pulls successfully on my local machine, but the App Service fails consistently. Below are the details:

Environment:

• App Service: Buraq-status-worker (Azure App Service, Linux, container-based)
• Location: UAE North
• ACR: statusworker (public access enabled, networkRuleSet.defaultAction=Allow)
• Image: statusworker.azurecr.io/buraqworker:782
• Networking:
  • Integrated with a VNet: /subscriptions/2f4948bc-9b84-4096-afe5-74912dd1ff47/resourceGroups/buraq_network/providers/Microsoft.Network/virtualNetworks/buraq_network/subnets/buraq_publicSubnet6
  • Has a private endpoint: buraq_privateSubnett (IP: 192.168.2.6)

Configuration:

• App Service Container Settings:
  • linuxFxVersion: DOCKER|statusworker.azurecr.io/buraqworker:782
  • acrUseManagedIdentityCreds: true
  • User-assigned managed identity: ua-id-bda8 (client ID: 4f5a7136-5538-44f2-ae69-dd146c67e224)
• Environment Variables:
  • DOCKER_REGISTRY_SERVER_URL: https://statusworker.azurecr.io
  • DOCKER_REGISTRY_SERVER_USERNAME: statusworker
  • DOCKER_REGISTRY_SERVER_PASSWORD: (matches the ACR admin password)
• ACR Settings:
  • Admin user enabled
  • No private endpoints configured

Error Details:

The App Service fails with an ImagePullFailure when attempting to pull the image. Logs from the Kudu SCM site show:

Answer 1

Hi Ahmed Hamada,

The Azure App Service Buraq-status-worker is failing to start because it can’t pull the Docker image statusworker.azurecr.io/buraqworker:782 from your Azure Container Registry.

The two main issues are authentication conflicts from using both a managed identity and environment variables (DOCKER_REGISTRY_SERVER_USERNAME), and private networking restrictions requiring proper DNS resolution and routing to access ACR's private endpoint from your VNet-integrated App Service.

1). Use a single authentication method (recommended: Managed Identity) and avoid mixing methods.

Remove these environment variables from the App Service Configuration:

• DOCKER_REGISTRY_SERVER_URL
• DOCKER_REGISTRY_SERVER_USERNAME
• DOCKER_REGISTRY_SERVER_PASSWORD

Ensure the following settings are configured in the App Service:

• acrUseManagedIdentityCreds: true
• managedIdentityClientId: 4f5a7136-5538-44f2-ae69-dd146c67e224 (your UA-MI)

2). Assign the AcrPull role to your user-assigned managed identity (ua-id-bda8) to grant permission to pull images.

az role assignment create --assignee 4f5a7136-5538-44f2-ae69-dd146c67e224 --scope /subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.ContainerRegistry/registries/statusworker --role AcrPull

3). Fix networking by configuring DNS to resolve your ACR's private IP, since it uses a private endpoint.

• Link the Private DNS Zone privatelink.azurecr.io to your VNet (buraq_network) and add an A record for statusworker.azurecr.io pointing to the ACR’s private IP (192.168.2.6).
• Verify NSG and subnet settings to ensure no outbound restrictions from App Service to the ACR subnet/IP and allow DNS traffic (port 53) if using custom DNS.

4). Restart the App Service and use Log Stream in the Azure Portal to verify the image pull and container startup.

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-container-registry/pull-image-to-web-app-fail#solution-for-managed-identity-based-authentication

Please accept as "Yes" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

Let me know if you have any further Queries.