azuredockerazure-container-instancesazure-container-registry

Why Azure Container Instance cannot access Azure Container Registry image

I have built a Docker image that I have pushed successfully to an Azure Container Registry (ACR) repository.

But I cannot create an Azure Container Instance running it through Azure Powershell:

> New-AzContainerGroup -ResourceGroupName rg-docker-test -Name framerapi-cg -Location francecentral -Container $container -IpAddressType Public

As I get an error:

The image 'crdockertest.azurecr.io/framerapi:latest' in container group 'framerapi-cg' is not accessible. Please check the image and registry credential.

But I was able to push it to ACR without any issue:

> Connect-AzContainerRegistry -Name crdockertest
Login Succeeded
> docker push --all-tags crdockertest.azurecr.io/framerapi

And I can even pull it:

> docker pull crdockertest.azurecr.io/framerapi

But I've found that by enabling "Admin user" for the registry I can create the container group using the generated credentials:

> $pwd = ConvertTo-SecureString -AsPlainText ...
> $credentials = New-AzContainerGroupImageRegistryCredentialObject -Server crdockertest.azurecr.io -Username crdockertest -Password $pwd
> New-AzContainerGroup -ResourceGroupName rg-docker-test -Name framerapi-cg -Location francecentral -Container $container -IpAddressType Public -ImageRegistryCredential $credentials

Why the usual authentication via Connect-AzContainerRegistry (and Connect-AzAccount if it matters) is not working?
What is the fix?
As if I understand well the "Admin user" mode is not suited for production, only for dev/testing.

Solution

  • This is how I use PowerShell and the AZ to successfully deploy a container image to Azure Container Instances without using the admin username/password.

    Just fill out the variables with your own data.

    # Step 1: Create a user-assigned managed identity
Write-Host "`nCreating a user-assigned managed identity '${identityName}'."
$identity = az identity create --name $identityName `
                   --resource-group $rgname `
                   --output json | ConvertFrom-Json
$identityId = $identity.id
$principalId = $identity.principalId
$clientId = $identity.clientId
Write-Host "User-assigned managed identity created"
Write-Host "id: ${identityId}"
Write-Host "PrincipalId: ${principalId}"
Write-Host "ClientId: ${clientId}"

# Step 2: Get the Azure Container Registry ID
Write-Host "`n`nRetrieving the Azure Container Registry ID"
$containerRegistry = az acr show --name $acrname --output json | ConvertFrom-Json
$acrid = $containerRegistry.id
Write-Host "Azure Container Registry ID: ${acrid}"

# Step 3: Assign the AcrPull role to the managed identity on the ACR
Write-Host "`n`nAssigning AcrPull role to the managed identity on the container registry."
$role = az role assignment create --assignee $principalId --role "AcrPull" --scope $acrid --output json | ConvertFrom-Json


# Step 4: Create a Log Analytics workspace
Write-Host "`n`nCreating a Log Analytics workspace named '${workspaceName}'"
$logAnalyticsWorkspace = az monitor log-analytics workspace create `
                            --resource-group $rgname `
                            --workspace-name $workspaceName `
                            --location $location `
                            --output json | ConvertFrom-Json
$workspaceId = $logAnalyticsWorkspace.customerId
Write-Host "Log Analytics workspace created with id ${workspaceId}"

# Step 5: Get Log Analytics workspace keys
Write-Host "`n`nGet log analytics workspace keys"
$workspaceKeys = az monitor log-analytics workspace get-shared-keys `
                         --resource-group $rgname `
                         --workspace-name $workspaceName `
                         --output json | ConvertFrom-Json
$workspaceKey = $workspaceKeys.primarySharedKey

# Step 6: Create Azure Container Instance
Write-Host "`n`nCreating Azure Container Instance"
$container = az container create --resource-group $rgname `
                                --name $containerInstanceName `
                                --image "${acrname}.azurecr.io/${imagename}:latest" `
                                --cpu 0.5 `
                                --memory 0.5 `
                                --ports 8080 `
                                --dns-name-label $containerInstanceName `
                                --assign-identity $identityId `
                                --acr-identity $identityId `
                                --log-analytics-workspace $workspaceId `
                                --log-analytics-workspace-key $workspaceKey `
                                --environment-variables AZURE_CLIENT_ID=$clientId `
                                --output json | ConvertFrom-Json
$containerId = $container.id
$hostName = $container.ipAddress.fqdn

# Final Output
Write-Host "`n`nCloudDebugger container image deployed to Azure Container Instance." -ForegroundColor Green
Write-Host "Hostname: http://${hostName}:8080" -ForegroundColor Green

    Hope that helps.