I've been trying to deploy a docker image that's already pushed in our azure container registry. I'm receiving the following error:
/usr/bin/az containerapp update -n <appName> -g <resourceGroupName> -i <containerRegistry>.azurecr.io/<repository>:20240430.13 --replace-env-vars ASPNETCORE_ENVIRONMENT=Acceptance
ERROR: (InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'template.containers.<appName>.image' is invalid with details: 'Invalid value: "<containerRegistry>.azurecr.io/<repository>:20240430.13": GET https:?scope=repository%3A<containerRegistry>%3Apull&service=<containerRegistry>.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.
##[error]Error Code: [1]
##[error]Error: Unable to update Azure Container App via 'az containerapp update' command.
As you can see, it gives an error regarding the authentication process to the registry. Here's the job I use for the deployment:
jobs:
- job: Deploy
displayName: Deploy Docker image
steps:
- task: AzureContainerApps@1
displayName: 'Deploy from container registry'
inputs:
resourceGroup: $(resourceGroupName)
azureSubscription: ${{parameters.devopsServiceConnection}}
containerAppEnvironment: $(containerAppEnvironment)
containerAppName: $(appName)
acrName: $(containerRegistry)
imageToDeploy: $(containerRegistry).azurecr.io/$(repository):$(Build.BuildNumber)
environmentVariables: 'ASPNETCORE_ENVIRONMENT=Acceptance'
Here's what I know / have excluded:
From the logs, when it ran az login (part of the task), it returned a list of subscriptions it has access over. The service connection passed on azureSubscription (ACC) included
When it runs az account set --subscription <tenant_id> it is the tenant id of the subscription specified as above.
It logs into the container registry using the token generated by the Azure CLI (which has access to the ACC subscription)
Logging in to Azure Container Registry using access token to be generated via Azure CLI.
/usr/bin/bash -c CA_ADO_TASK_ACR_ACCESS_TOKEN=$(az acr login --name <containerRegistry> --output json --expose-token --only-show-errors | jq -r '.accessToken'); docker login <containerRegistry>.azurecr.io -u 00000000-0000-0000-0000-000000000000 -p $CA_ADO_TASK_ACR_ACCESS_TOKEN > /dev/null 2>&1
This though, does return an empty line in the console. (might be important ?) I guess it could also be because of truncation of the sensitive data, otherwise it would indefinitely be saved in the logs.
After verifying all of the above, I checked the subscription access. Both the container registry and the container app that I'm trying to deploy to are under the ACC subscription. I've checked our project settings to see the service connection settings, which has full access over the ACC subscription (which includes for example both AcrPull AND AcrPush)
I've been messing with this for a few hours now and was hoping someone else had the same issue that could help me solve it.
I've removed a lot of data that are sensitive for my company. But if you see <appName> I've verified that it's the same variable as passed with $(appName).
After being stuck on this for over a week I've finally found an answer, I'd like to share this with everyone. The imageToDeploy is an url, but even though it's an url it's still case sensitive...
Since the containerRegistry variable had some casing it couldn't "find"?? the Azure container registry, and therefore failed with an authentication error. By lowercasing my acr name for the url it finally worked.