Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
544 questions
Azure Container App Fails to pull images from Private Azure Container Registry using User Managed identity with AcrPull
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 93%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Harsh Misra
0
Reputation points
We have an Azure Container Registry, which we keep behind a private endpoint.
The private endpoint is in the same VNET as the "Azure Container Apps" Environment.
I am using a User Managed Identity to pull images from ACR.
On deploying the Azure Container App via te following bicep script I get the following errors
param identity string
param location string = resourceGroup().location
param containerAppName string
param environment string
param appEnvironmentName string
param azureContainerRegistry string
param azureContainerRegistryImage string
param azureContainerRegistryImageTag string
var identityResourceId = resourceId(resourceGroup().name , 'Microsoft.ManagedIdentity/userAssignedIdentities', identity)
resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
name: toLower('${containerAppName}-${environment}')
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identityResourceId}': {}
}
}
properties: {
environmentId: resourceId(resourceGroup().name, 'Microsoft.App/managedEnvironments', appEnvironmentName)
configuration: {
identitySettings: [
{
identity: identityResourceId
lifecycle: 'All'
}
]
ingress: {
external: true
targetPort: 5000
allowInsecure: false
traffic: [
{
latestRevision: true
weight: 100
}
]
}
registries: [
{
server: '${azureContainerRegistry}.azurecr.io'
identity: identityResourceId
}
]
}
template: {
containers: [
{
image: '${azureContainerRegistry}.azurecr.io/${azureContainerRegistryImage}:${azureContainerRegistryImageTag}'
name: 'backend'
resources: {
cpu: 1
memory: '1Gi'
}
}
]
scale: {
minReplicas: 1
maxReplicas: 3
}
}
}
}
The deployment fails with the following errors
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/<redacted>/resourceGroups/Services_RG/providers/Microsoft.Resources/deployments/dev","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ResourceDeploymentFailure","target":"/subscriptions/<redacted>/resourceGroups/Services_RG/providers/Microsoft.App/containerApps/yupanaappbackend-dev","message":"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","details":[{"code":"ContainerAppOperationError","message":"Failed to provision revision for container app 'yupanaappbackend-dev'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.backend.image' is invalid with details: 'Invalid value: \"<redacted>.azurecr.io/backend:beta\": GET https:: DENIED: requested access to the resource is denied';.."}]}]}}
{count} vote
-
Harsh Misra 0 Reputation points
2025-02-18T14:48:47.6766667+00:00 Whosoever edited the questions last time, please be mindful, you deleted the error messages and essential information for the triage. I have reverted it to the original text.
Sign in to comment
Sign in to answer