0

I have built a Docker image that I have pushed successfully to an Azure Container Registry (ACR) repository.

But I cannot create an Azure Container Instance running it through Azure Powershell:

> New-AzContainerGroup -ResourceGroupName rg-docker-test -Name framerapi-cg -Location francecentral -Container $container -IpAddressType Public

As I get an error:

The image 'crdockertest.azurecr.io/framerapi:latest' in container group 'framerapi-cg' is not accessible. Please check the image and registry credential.

But I was able to push it to ACR without any issue:

> Connect-AzContainerRegistry -Name crdockertest
Login Succeeded
> docker push --all-tags crdockertest.azurecr.io/framerapi

And I can even pull it:

> docker pull crdockertest.azurecr.io/framerapi

But I've found that by enabling "Admin user" for the registry I can create the container group using the generated credentials:

> $pwd = ConvertTo-SecureString -AsPlainText ...
> $credentials = New-AzContainerGroupImageRegistryCredentialObject -Server crdockertest.azurecr.io -Username crdockertest -Password $pwd
> New-AzContainerGroup -ResourceGroupName rg-docker-test -Name framerapi-cg -Location francecentral -Container $container -IpAddressType Public -ImageRegistryCredential $credentials

Why the usual authentication via Connect-AzContainerRegistry (and Connect-AzAccount if it matters) is not working?
What is the fix?
As if I understand well the "Admin user" mode is not suited for production, only for dev/testing.

Improve this question

1 Answer 1

Reset to default
1

This is how I use PowerShell and the AZ to successfully deploy a container image to Azure Container Instances without using the admin username/password.

Just fill out the variables with your own data.

# Step 1: Create a user-assigned managed identity
Write-Host "`nCreating a user-assigned managed identity '${identityName}'."
$identity = az identity create --name $identityName `
                   --resource-group $rgname `
                   --output json | ConvertFrom-Json
$identityId = $identity.id
$principalId = $identity.principalId
$clientId = $identity.clientId
Write-Host "User-assigned managed identity created"
Write-Host "id: ${identityId}"
Write-Host "PrincipalId: ${principalId}"
Write-Host "ClientId: ${clientId}"

# Step 2: Get the Azure Container Registry ID
Write-Host "`n`nRetrieving the Azure Container Registry ID"
$containerRegistry = az acr show --name $acrname --output json | ConvertFrom-Json
$acrid = $containerRegistry.id
Write-Host "Azure Container Registry ID: ${acrid}"

# Step 3: Assign the AcrPull role to the managed identity on the ACR
Write-Host "`n`nAssigning AcrPull role to the managed identity on the container registry."
$role = az role assignment create --assignee $principalId --role "AcrPull" --scope $acrid --output json | ConvertFrom-Json


# Step 4: Create a Log Analytics workspace
Write-Host "`n`nCreating a Log Analytics workspace named '${workspaceName}'"
$logAnalyticsWorkspace = az monitor log-analytics workspace create `
                            --resource-group $rgname `
                            --workspace-name $workspaceName `
                            --location $location `
                            --output json | ConvertFrom-Json
$workspaceId = $logAnalyticsWorkspace.customerId
Write-Host "Log Analytics workspace created with id ${workspaceId}"

# Step 5: Get Log Analytics workspace keys
Write-Host "`n`nGet log analytics workspace keys"
$workspaceKeys = az monitor log-analytics workspace get-shared-keys `
                         --resource-group $rgname `
                         --workspace-name $workspaceName `
                         --output json | ConvertFrom-Json
$workspaceKey = $workspaceKeys.primarySharedKey

# Step 6: Create Azure Container Instance
Write-Host "`n`nCreating Azure Container Instance"
$container = az container create --resource-group $rgname `
                                --name $containerInstanceName `
                                --image "${acrname}.azurecr.io/${imagename}:latest" `
                                --cpu 0.5 `
                                --memory 0.5 `
                                --ports 8080 `
                                --dns-name-label $containerInstanceName `
                                --assign-identity $identityId `
                                --acr-identity $identityId `
                                --log-analytics-workspace $workspaceId `
                                --log-analytics-workspace-key $workspaceKey `
                                --environment-variables AZURE_CLIENT_ID=$clientId `
                                --output json | ConvertFrom-Json
$containerId = $container.id
$hostName = $container.ipAddress.fqdn

# Final Output
Write-Host "`n`nCloudDebugger container image deployed to Azure Container Instance." -ForegroundColor Green
Write-Host "Hostname: http://${hostName}:8080" -ForegroundColor Green

Hope that helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.