Fails to pull images from Azure Container Registry by using Managed Identity authentication

  • Article

This article discusses how to troubleshoot image pull failures when you deploy to Azure Container Instances (ACI) from Azure Container Registry (ACR) by using a managed identity.

Symptoms

When you try to deploy a container group and pull images from an Azure container registry that runs behind a private endpoint by using a managed identity, the image pull fails.

Cause

Here are some causes of image pull failures:

  • From the ACI side:

    • Based on the ACI API version used when deploying the container group, the credential format provided in the container group ARM template might be invalid.
    • Using a managed identity in the container group might violate ACI limitations.
    • The container group definition in the ARM template might be malformed.

  • From the ACR side:

    • You might be using an earlier API version.
    • You might be using a private DNS zone for the container registry.

Troubleshooting from the ACI side

  1. Check if you're using an ACI API version earlier than 2021-07-01.

    If so, you might see the "InvalidImageRegistryCredentialType" error:

    $ az deployment group create -g <resourcegroupname> --template-file containergroup_trusted.json 
Deployment failed. Correlation ID: <Correlation ID>. { 
  "error": { 
    "code": "InvalidImageRegistryCredentialType", 
    "message": "Identity in 'imageRegistryCredentials' of container group 'acrtestcontainergroup' is not supported." 
  } 
}

    To resolve this issue, use ACI API version 2021-07-01 or later.

  2. Check if you're violating any ACI limitations.

    Limitations include:

    • Virtual network injected container groups.
    • Windows Server 2016 container groups.
    • Attempting to resolve ACR's private DNS zone.

    To resolve this issue, ensure that you don't violate those limitations.

  3. Check if the container group definition is correctly formed.

    If not, you might see the following errors:

    • Error code "AmbiguousImageResitryCredentialType":

      Deployment failed. Correlation ID: <Correlation ID>. { 
"error": { 
    "code": "AmbiguousImageResitryCredentialType", 
    "message": "The registry credential type in the 'imageRegistryCredentials' of container group 'acrtestcontainergroup' cannot be detected. Please set exactly one of username or identity" 
} 
}

    • Error code "InvalidImageRegistryIdentity":

      Deployment failed. Correlation ID: <Correlation ID>. { 
"error": { 
    "code": "InvalidImageRegistryIdentity", 
    "message": "The identity in the 'imageRegistryCredentials' of container group 'acrtestcontainergroup' not found in container group identity list." 
} 
}

    • Error code "InvalidRequestContent":

      Deployment failed. Correlation ID: <Correlation ID>. { 
"error": { 
    "code": "InvalidRequestContent", 
    "message": "The request content was invalid and could not be deserialized: 'Required property 'server' not found in JSON. Path 'properties.imageRegistryCredentials[0]', line 1, position 586.'." 
} 
}

    To resolve this issue, you must provide the following properties in the ARM template:

Troubleshooting from the ACR side

  1. Check if the managed identity has the AcrPull role assigned.

    If not, you might see the "InaccessibleImage" error:

    Deployment failed. Correlation ID: <Correlation ID>. { 
  "error": { 
    "code": "InaccessibleImage", 
    "message": "The image 'myacr.azurecr.io/pythonworker:v1' in container group 'acrtestcontainergroup' is not accessible. Please check the image and registry credential." 
  } 
}

    To resolve this issue, grant the AcrPull role to the managed identity. For more information, see Grant the identity permissions to access other Azure resources.

  2. Check if ACR has trusted services enabled. If not, enable trusted services.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.