I'm trying to follow the instructions here:
https://learn.microsoft.com/en-us/azure/container-instances/using-azure-container-registry-mi
Which I understand should allow me to deploy an Azure Container Instance (ACI) which uses a managed identity to pull images from the referenced Azure Container Registry (ACR). I'm following all the steps, but when I attempt to deploy the ACI using yaml, I get the following error:
(InvalidImageRegistryCredentialType) Identity in 'imageRegistryCredentials' of container group '<node-name>' is not supported.
Code: InvalidImageRegistryCredentialType
Message: Identity in 'imageRegistryCredentials' of container group '<node-name>' is not supported.
I've checked the imageRegistryCredentials and it's formatted correctly, and the managed identity appears to be correct, with the correct RBAC assigned.
I've also tried updating the managed identity ID to one that doesn't exist, and it returns a 404 error of sorts, so I know it's something to do with either how ACR or the managed identity is configured.
To confirm, the ACR is within a private VNET with private endpoint. For testing, I've tried enabling public access, which doesn't change the error.
I'm also running the az container create
command line from a location with VPN access to the VNET. Dropping the VPN connection doesn't change the error either.
Verbose and debug options on the CLI don't give me anything else to go on.
Anyone else hazard a guess?
Turns out it's a single line fix!...
The API version in my yaml file was:
apiVersion: 2019-12-01
...which was too old. Updating to:
apiVersion: 2021-10-01
Fixes the issue.