revision is getting Activation error for a Container App

Question

My container app is linked to an image in azure registry. The app works fine in local but the revision gets an Activation error.

Following similar topics in the forum, already this the following steps:

I assigned a Managed Identity to the container app (identity tab) and then assigned the ACrPull role in the IAM of the Registry

i can successfully docker pull the image from azure registry

cannot find any logs regarding the error other than Activation Failed

logs:

{"TimeStamp":"2025-03-01T16:37:28Z","Type":"Normal","ContainerAppName":null,"RevisionName":null,"ReplicaName":null,"Msg":"Connecting to the events collector...","Reason":"StartingGettingEvents","EventSource":"ContainerAppController","Count":1}
{"TimeStamp":"2025-03-01T16:37:29Z","Type":"Normal","ContainerAppName":null,"RevisionName":null,"ReplicaName":null,"Msg":"Successfully connected to events server","Reason":"ConnectedToEventsServer","EventSource":"ContainerAppController","Count":1}
{"TimeStamp":"2025-03-01 16:33:37 \u002B0000 UTC","Type":"Normal","ContainerAppName":"prodlabelmatchingv7","RevisionName":"","ReplicaName":"","Msg":"Updating containerApp: prodlabelmatchingv7","Reason":"ContainerAppUpdate","EventSource":"ContainerAppController","Count":10}
{"TimeStamp":"2025-03-01 16:33:37 \u002B0000 UTC","Type":"Normal","ContainerAppName":"prodlabelmatchingv7","RevisionName":"prodlabelmatchingv7--txe6sro","ReplicaName":"","Msg":"Updating revision : prodlabelmatchingv7--txe6sro","Reason":"RevisionUpdate","EventSource":"ContainerAppController","Count":2}
{"TimeStamp":"2025-03-01 16:33:37 \u002B0000 UTC","Type":"Normal","ContainerAppName":"prodlabelmatchingv7","RevisionName":"","ReplicaName":"","Msg":"Setting traffic weight of \u0027100%\u0027 for revision \u0027prodlabelmatchingv7--9k7llvl\u0027","Reason":"RevisionUpdate","EventSource":"ContainerAppController","Count":7}
{"TimeStamp":"2025-03-01 16:33:37 \u002B0000 UTC","Type":"Normal","ContainerAppName":"prodlabelmatchingv7","RevisionName":"prodlabelmatchingv7--txe6sro","ReplicaName":"","Msg":"Successfully provisioned revision \u0027prodlabelmatchingv7--txe6sro\u0027","Reason":"RevisionReady","EventSource":"ContainerAppController","Count":2}
{"TimeStamp":"2025-03-01 16:33:56 \u002B0000 UTC","Type":"Normal","ContainerAppName":"prodlabelmatchingv7","RevisionName":"prodlabelmatchingv7--txe6sro","ReplicaName":"prodlabelmatchingv7--txe6sro-6db6d684c7-zbv42","Msg":"Pulling image \u0027productlabelmatchv6.azurecr.io/prodlabelmatching:latest\u0027","Reason":"PullingImage","EventSource":"ContainerAppController","Count":1}

I also managed to create a container app successfully using the simple hello app container image as test. I suspect the issue is with the registry or app itself but since it is working in local and couldn't find more logs, then I lost.

Any help would be much appreciated

Answer 1

Hello @javier

Thanks for using Q & A forum.

Follow the below Steps-

[Step 1]: Verify Managed Identity and Role Assignment Propagation

Check the Azure Activity Log for the role assignment to confirm it was successfully created. Also, wait for a reasonable amount of time (e.g., 5-10 minutes) after assigning the role before attempting to activate the revision. Sometimes, propagation delays are the root cause.

[Step 2]: Confirm Correct Managed Identity is Used

1. In the Azure portal, navigate to your Container App.
2. Go to the "Identity" tab.
3. Note whether you're using a System-assigned or User-assigned Managed Identity.
4. If using a User-assigned Managed Identity, verify that the correct identity is selected.
5. Go to your Azure Container Registry.
6. Go to "Access control (IAM)".
7. Check the role assignments. Ensure the Managed Identity you noted in steps 3 or 4 has the "ACRPull" role assigned to it. The "Principal" should match the name of your Managed Identity.

[Step 3]: Check Container App Configuration for Image Pull Authentication

The container app needs to be configured to use the Managed Identity for pulling the image. While the portal often handles this automatically, it's worth verifying. If you're using the Azure CLI, ensure the acr-pull-managed-identity parameter is correctly set when creating or updating the container app. If you're using an ARM template, ensure the identity block is correctly configured.

Example Azure CLI command:

az containerapp update \
  --name <container_app_name> \
  --resource-group <resource_group_name> \
  --registry-server <acr_name>.azurecr.io \
  --acr-pull-managed-identity <managed_identity_client_id> 

If using a system-assigned managed identity, you can omit the --acr-pull-managed-identity parameter.

[Step 4]: Investigate Health Probes

1. In the Azure portal, navigate to your Container App.
2. Go to the "Revisions management" tab.
3. Click on the failing revision.
4. Examine the "Health status" section. If the probes are failing, investigate the logs of your container to determine why. A failing health probe can cause the container to continuously restart, leading to activation errors.

[Step 5]: Check Azure Container Registry Network Rules (If Applicable)

1. In the Azure portal, navigate to your Azure Container Registry.
2. Go to "Networking".
3. If "Public network access" is disabled or "Selected networks" is enabled, ensure that the container app's subnet or IP address is allowed to access the registry. You might need to add a virtual network rule or an IP address rule. If the container app is integrated with a virtual network, you'll likely need to add a virtual network rule.

[Step 6]: Examine Container App Logs (Even if Limited)

Even if you're not seeing detailed logs, check the container app's logs for any error messages or clues. Go to the "Monitor" section and then "Logs". Use Kusto Query Language (KQL) to query the logs. For example:

Container

---

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.