This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Hi, I am trying to create a containerapp with az cli using the following params
az containerapp create --name aca-az2003 --resource-group $RG1 --environment environmentforacontpps --registry-identity $spID --registry-server acraz2003.azurecr.io --image aspnetcorecontainer:latest --ingress external
I used the $spID that I retrived it with
$spID=$(az identity show --resource-group $rg1 --name uai-az2003 --query principalId --output tsv)
where is the user-assigned identity but getting an error
--registry-identity must be an identity resource ID or 'system' or 'system-environment'
So is identity resource ID means the id for the acr? I did but also erroring
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 13%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hi @Salam ELIAS, --registry-identity refers to the managed identity with which to authenticate to the Azure Container Registry. Use resource id for user-defined environment/containerapp level identity. Refer MSDOC.
Hi,
You need to remove the initial $ in order to set the variable. Your code should look similar to below:
spID=$(az identity show --resource-group $rg1 --name uai-az2003 --query principalId --output tsv)
Please click Accept Answer and upvote if the above was helpful.
Thanks.
-TP
Hi TP, I am working on my local win 10 machine usin az cli so the $ is mandatoy for variables. As I said, I am getting the ID when I type $spID as follows
68a69d88-xxxxxx-xxxa-8d1d-75bc58xxxxxx
I've not had a chance to test to make certain, but based on the error it is looking for resource id, not principal id. Based on that, please test below command instead:
$spID=$(az identity show --resource-group $rg1 --name uai-az2003 --query id --output tsv)
Thanks TP, yes with this new spID it started working but after a while I get
/ Running ..Failed to provision revision for container app 'aca-az2003sierac'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.aca-az2003sierac.image' is invalid with details: 'Invalid value: "aspnetcorecontainer:latest": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/aspnetcorecontainer Type:repository]]';..
So the uai-az2003 has arcPull privilges and I am already logged to azure with "az login " and using my super admin user
What is strange, it creates the ACP but without the container (which I shoud think is normal according to error message)
Hi TP, any feedback please?
Hi TP, any feedback please?
Sorry, did get notified of your reply. Let me run some tests in one of my subscriptions and I'll reply back.
Hi Salam ELIAS,
Thanks for using Q & A forum.
Solution:
--registry-identity parameter.Use below commands to create container App using --registry-identity.
1. resourcegroup= <resourcegroup_name>
// fetch resourceID of User Assigned Managed Identity
2. spResourceID=$(az identity show --resource-group $resourcegroup --name <user_managed_identity_name> --query id --output tsv)
//Create Container App Environment
3. az containerapp env create --name <containerapp_environment> --resource-group $resourcegroup --location "<Location>"
//Create container registry
4. az acr create --resource-group $resourcegroup --name <registry_name> --sku Basic
// Create Container App using resourceID of managed identity
5. az containerapp create --name <container_app_name> --resource-group $resourcegroup --environment <containerapp_environment> --registry-identity $spResourceID --registry-server <Container_registry>.azurecr.io --image <image:tag> --ingress external
I have created the container app using --registry-identity:
az containerapp create --name <container_app_name> --resource-group $resourcegroup --environment <containerapp_environment> --registry-identity $spResourceID --registry-server <Container_registry>.azurecr.io --image <image:tag> --ingress external
Output:
Container app created. Access your app at https://kpaca06.yellowflower-3354809f.eastus.azurecontainerapps.io/
{
//Removed excess config
"registries": [
{
"identity": "/subscriptions/d93995eXX9e52bc/resourcegroups/pravrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/kpuami",
"passwordSecretRef": "",
"server": "kpregistry06.azurecr.io",
"username": ""
}
],
"secrets": null,
"service": null
},
//Removed excess config
"provisioningState": "Succeeded",
"runningStatus": "Running",
"template": {
"containers": [
{
"image": "mcr.microsoft.com/dotnet/aspnet:latest",
"name": "kpaca06",
"resources": {
"cpu": 0.5,
"ephemeralStorage": "2Gi",
"memory": "1Gi"
}
}
]
//Removed excess config
"type": "Microsoft.App/containerApps"
}
Container App got created with User Assigned managed identity enabled:
Hope this helps.
If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.
Hi @Salam ELIAS, Just checking in to see if the provided answer helped. If you have any further queries, do let us know.
Hi Pravalika and thanks for your detailed response. I ran
$spResourceID=$(az identity show --resource-group $rg1 --name uai-az2003 --query id --output tsv)
for which I got
/subscriptions/XXXXXXXX-4725-460d-8e3b-8XXXXXXXXXXX/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-az2003
when I run
az containerapp create --name aca-az2003-bis --resource-group $rg1 --environment environmentforacontpps --registry-identity $spResourceID --registry-server acraz2003sierac.azurecr.io --image aspnetcorecontaineracp:latest --ingress external
I get
- Running ..Failed to provision revision for container app 'aca-az2003-bis'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.aca-az2003-bis.image' is invalid with details: 'Invalid value: "aspnetcorecontaineracp:latest": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/aspnetcorecontaineracp Type:repository]]';..
in spite of the fact that I am logged with az login as a super user and repo exists with an image
At the begining of the execution, I get a message
D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\cryptography/hazmat/backends/openssl/backend.py:8: UserWarning: You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.
I dont have a D drive and cant understand this cryptic message, anyway, how this can be fixed? Thanks