Azure Container Instance fails to pull ACR images using User-Assigned Managed Identity (Terraform)

Question

I’m trying to create an Azure Container Instance (ACI) container group using Terraform and a User-Assigned Managed Identity (UAMI) for pulling images from a private Azure Container Registry (ACR).

The managed identity was created via Azure CLI and has the AcrPull role assigned. However, container group creation fails with InaccessibleImage.

Environment

• Azure Container Instances
• Private Azure Container Registry
• User-Assigned Managed Identity (created via az identity create)
• Terraform azurerm_container_group
• No explicit image_registry_credential (expecting MI-based auth)

Managed Identity setup

az identity create \
  --name acr-pull-identity \
  --resource-group identity-rg

az role assignment create \
  --assignee <principal-id> \
  --scope /subscriptions/<sub-id>/resourceGroups/registry-rg/providers/Microsoft.ContainerRegistry/registries/myregistry \
  --role AcrPull

Terraform data source:

data "azurerm_user_assigned_identity" "acr_pull" {
  name                = "acr-pull-identity"
  resource_group_name = "identity-rg"
}
resource "azurerm_container_group" "example" {
  name                = "example-aci"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  os_type             = "Linux"
  container {
    name   = "app"
    image  = "myregistry.azurecr.io/library/nginx:latest"
    cpu    = 0.5
    memory = 0.5
    ports {
      port     = 80
      protocol = "TCP"
    }
  }
  identity {
    type         = "UserAssigned"
    identity_ids = [data.azurerm_user_assigned_identity.acr_pull.id]
  }
}

Error when running terraform apply

Error: creating Container Group:
unexpected status 400 (Bad Request) with error:
'BadRequest':'InaccessibleImage':
The image 'myregistry.azurecr.io/library/nginx:latest'
is not accessible. Please check the image and registry credential.

This occurs for all images pulled from the private ACR.

What I’ve verified

Image exists in ACR

Managed identity has AcrPull role on the registry

Identity ID resolves correctly in Terraform

Images pull successfully when using ACR admin credentials

Fails only when relying on managed identity

Questions

1. Is AcrPull alone sufficient for ACI + User-Assigned Managed Identity?

Are there known limitations or delays when using pre-existing UAMIs with ACI?

1. Is image_registry_credential still required even when using managed identity?

Answer 1

To address your questions regarding the Azure Container Instance (ACI) and User-Assigned Managed Identity (UAMI) setup for pulling images from a private Azure Container Registry (ACR):

1. Is AcrPull alone sufficient for ACI + User-Assigned Managed Identity?
   Yes, the AcrPull role is necessary for the managed identity to pull images from the ACR. However, ensure that the managed identity is correctly assigned to the ACR and that there are no additional network restrictions that might prevent access.
2. Are there known limitations or delays when using pre-existing UAMIs with ACI?
   There are limitations with Windows containers, which do not support system-assigned managed identity-authenticated image pulls with ACR; only user-assigned identities are supported. Additionally, ensure that the managed identity is properly configured and that the ACI is using the correct API version.
3. Is image_registry_credential still required even when using managed identity?
   When using a managed identity, you typically do not need to specify image_registry_credential. The managed identity should handle authentication automatically, provided it has the correct permissions and is configured properly.

If you continue to face issues, verify that the managed identity is assigned correctly and that there are no firewall rules or private endpoint configurations that might be blocking access to the ACR.

---

References:

• Deploy to Azure Container Instances from Azure Container Registry using a managed identity
• Fails to pull images from Azure Container Registry by using Managed Identity authentication

Answer 2

Hi Matheus Gomes

Thanks for reaching out Q/A, it looks like you're running into an issue with creating an Azure Container Instance (ACI) that pulls images from a private Azure Container Registry (ACR) using a User-Assigned Managed Identity (UAMI). The "InaccessibleImage" error can be a bit tricky. Here are some things to keep in mind and steps you can take to troubleshoot:

1. Role Assignment: Ensure that your User-Assigned Managed Identity has the AcrPull role assigned to the correct ACR scope. From your command, it seems you've set this up, but it might be worth double-checking that the role is correctly associated with the right <principal-id> and the ACR resource ID.
2. Managed Identity Configuration: Make sure that the User-Assigned Managed Identity is correctly attached to the ACI. In your Terraform config, it looks like you are doing this correctly: identity { type = "UserAssigned" identity_ids = [data.azurerm_user_assigned_identity.acr_pull.id]
3. Private DNS Zone: If your ACR is behind a private endpoint, ensure that your ACI can resolve the DNS for the private endpoint. This might require proper networking setup.
4. Image Availability: Since you confirmed that the image exists in ACR, double-check the image name and tag you're referencing is correct.
5. Deploying using the right API version: Ensure you're using an appropriate ACI API version that supports managed identity for authentication (2021-07-01 or later).

For more detailed guidance, please find below documentations.

• How to use managed identities with Azure Container Instances
• Troubleshoot common issues in Azure Container Instances
• Deploying to ACI using managed identities

Hope this helps! Please let me know if you have any queries.