Unable to run Azure Web Service from a docker image in an Azure Registry

CrestApps 21 Reputation points

I am trying to run a docker image in an Azure Web Service for Containers.

My Azure Web Service has two slots "production" and "staging" slot. In my "staging" slot, I navigated to "Identity" and added a "User assigned" identity. Then I navigated to the Container registry, under "Identity" tab, I also added a user assigned identity. Also, under "Access control (IAM)" tab, I assigned both AcrPull and AcrPush roles to the same user identity I added to the web server and the container.

My app fails to start up and I see this in the logs

ERROR - Pull image threw Exception: Input string was not in a correct format.
INFO  - Pulling image from Docker hub: privateregistry.azurecr.io/privateimage:152
ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://privateregistry.azurecr.io/v2/privateimage/manifests/152: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information."}

How can I fix this issue?

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
415 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,175 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andriy Bilous 11,011 Reputation points MVP

    Hello @CrestApps

    Please check if managed identity is assigned to the web app deployment slot.

    az webapp identity show --name MyWebapp --resource-group MyResourceGroup --slot MySlot  
    az webapp config container show --name MyWebapp --resource-group MyResourceGroup --slot MySlot  


    Assign an identity to your WebApp Slot where ID_Name is the name of your UserIdentity which you can find in Enterprise Apps

    # Modify for your environment  
    Identity_ARMID=$(az identity show -g $RG_Name -n $ID_Name --query id -o tsv)  
    Webapp_Config=$(az webapp show -g $RG_Name -n $Web_Name --query id --output tsv)"/config/web"  
    ClientID=$(az identity show -g $RG_Name -n $ID_Name --query clientId --output tsv)  
    #Assign managed-identity to webapp  
    az webapp identity assign -g $RG_Name -n $Web_Name --identities $Identity_ARMID --slot MySlot -o none  
    #Configure WebApp to use the Manage Identity Credentials to perform docker pull operations  
    az resource update --ids $Webapp_Config --set properties.acrUseManagedIdentityCreds=True -o none  
    az resource update --ids $Webapp_Config --set properties.AcrUserManagedIdentityID=$ClientID -o none  

    Configure WebApp to pull image:tag from ACR

    # Modify for your environment  
    ACR_URL=$(az acr show -g $RG_Name --n $ACR_Name --query privateregistry --output tsv)  
    #Configure the ACR, Image and Tag to pull  
    az resource update --ids $Webapp_Config --set properties.linuxFxVersion=$FX_Version -o none --force-string  


    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. CrestApps 21 Reputation points

    Hi @Andriy Bilous , for some reason I am unable to comment on your answer.

    Thank you for the feedback! I added the identity using the GUI like this

    1. go to the staging slot app
    2. click on the "Identity" menu item on the left
    3. click on "User assigned" tab
    4. click "+ Add" searched for the identity name and added it

    az webapp identity show --name MyWebapp --resource-group MyResourceGroup --slot MySlot


         "principalId": null,  
         "tenantId": null,  
         "type": "UserAssigned",  
         "userAssignedIdentities": {  
           "IdentityName": {  
             "clientId": "ClientId",  
             "principalId": "PrincipalId"  

    az webapp config container show --name MyWebapp --resource-group MyResourceGroup --slot MySlot


           "slotSetting": false,  
           "value": null  
           "name": "DOCKER_REGISTRY_SERVER_URL",  
           "slotSetting": false,  
           "value": "https://MyRegistryName.azurecr.io"  
           "slotSetting": false,  
           "value": "RegistreyUserName"  
           "slotSetting": false,  
           "value": "false"  
           "name": "DOCKER_CUSTOM_IMAGE_NAME",  
           "value": "DOCKER|reg.MyRegistryName.io/imageName:tagId"  

    Not sure why DOCKER_REGISTRY_SERVER_PASSWORD has a null value where the GUI shows the valid value.

    Anyway, I executed the commands to assign it via code, but still having the same problem

  2. Johan Runsten 0 Reputation points

    See the updated commands for setting your web app to use user managed identity against acr here: https://learn.microsoft.com/en-us/azure/app-service/configure-custom-container?tabs=debian&pivots=container-linux#use-managed-identity-to-pull-image-from-azure-container-registry

    Namely, webapp config instead of resource update.

    0 comments No comments