An Azure ML environment cannot be accessed via the Azure ML portal, or be used on a job.

Question

Hi.

I have recently created a new Environment in Azure ML, and the first issue I see is that I am not able to get details from the image in the portal.

Failed to fetch image details Authentication: Authentication failed for container registry 2ef657df1dfa44498c286d83415d8ebc.azurecr.io. Trace ID : 6f4538d6-9593-4ae5-95ab-9eda460f4c16Client request ID : cc5c29b0-e198-485f-afc1-831b54004c7a

Subsequently, I cannot use that Environment in a Job.

For example, here is my job configuration:

$schema: https://azuremlschemas.azureedge.net/latest/commandJob.schema.json
command: echo "hello world"
environment: azureml:dexman-gustavo-test:1
display_name: Custom environment test

And here is the failure:

Authentication failed for container registry 2ef657df1dfa44498c286d83415d8ebc.azurecr.io

I can see the registry exists:

az acr list --resource-group westus3

[
  {
    "adminUserEnabled": true,
    "anonymousPullEnabled": true,
    "autoGeneratedDomainNameLabelScope": "Unsecure",
    "creationDate": "2025-06-25T02:24:23.484402+00:00",
    "dataEndpointEnabled": false,
    "dataEndpointHostNames": [],
    "encryption": {
      "keyVaultProperties": null,
      "status": "disabled"
    },
    "id": "/subscriptions/c684c574-1302-4000-957c-252467a86c0f/resourceGroups/westus3/providers/Microsoft.ContainerRegistry/registries/2ef657df1dfa44498c286d83415d8ebc",
    "identity": null,
    "location": "westus3",
    "loginServer": "2ef657df1dfa44498c286d83415d8ebc.azurecr.io",
    "metadataSearch": "Disabled",
    "name": "2ef657df1dfa44498c286d83415d8ebc",
    "networkRuleBypassOptions": "AzureServices",
    "networkRuleSet": null,
    "policies": {
      "azureAdAuthenticationAsArmPolicy": {
        "status": "enabled"
      },
      "exportPolicy": {
        "status": "enabled"
      },
      "quarantinePolicy": {
        "status": "disabled"
      },
      "retentionPolicy": {
        "days": 7,
        "lastUpdatedTime": "2025-06-25T02:24:39.485664+00:00",
        "status": "disabled"
      },
      "softDeletePolicy": {
        "lastUpdatedTime": "2025-06-25T02:24:39.485720+00:00",
        "retentionDays": 7,
        "status": "disabled"
      },
      "trustPolicy": {
        "status": "disabled",
        "type": "Notary"
      }
    },
    "privateEndpointConnections": [],
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "resourceGroup": "westus3",
    "roleAssignmentMode": "LegacyRegistryPermissions",
    "sku": {
      "name": "Standard",
      "tier": "Standard"
    },
    "status": null,
    "systemData": {
      "createdAt": "2025-06-25T02:24:23.484402+00:00",
      "createdBy": "0736f41a-0425-4b46-bdb5-1563eff02385",
      "createdByType": "Application",
      "lastModifiedAt": "2025-06-25T14:15:45.082185+00:00",
      "lastModifiedBy": "******@dexman.ai",
      "lastModifiedByType": "User"
    },
    "tags": {},
    "type": "Microsoft.ContainerRegistry/registries",
    "zoneRedundancy": "Disabled"
  }
]

I also tried setting anonymousPullEnabled to True via

az acr update --name 2ef657df1dfa44498c286d83415d8ebc --anonymous-pull-enabled true

But this did not help.

I need assistance on how to set up the proper authentication mechanisms so I can use this Environment in my Jobs. Can I please get some directions?

Thanks a lot.

Answer 1

Adding an update:
By accessing the Container Registry in the Azure Portal and assigning the proper role towards dexman3 (the workspace) I was able to get things working.

With this, the problem seems to be this: When the Environment is created, the right roles for that Workspace to use that Environment do not seem to be set up automatically.