1

I am trying to deploy an Azure Container App using Terraform that pulls an image from my Azure Container Registry (ACR), but I'm encountering an authentication error. The error message indicates that the image is invalid because authentication is required to pull from ACR.

resource "azurerm_container_app" "container_app" {
  name                         = var.ContainerAppName
  resource_group_name          = var.ResourceGroup
  container_app_environment_id = azurerm_container_app_environment.container_app_env.id
  revision_mode                = "Single"

  template {
    container {
      name   = "app-name"
      image  = "${azurerm_container_registry.acr.login_server}/${var.ImageName}:latest"
      cpu    = 0.25
      memory = "0.5Gi"
    }
  }

  ingress {
    external_enabled           = true
    allow_insecure_connections = true
    target_port                = 80
    transport                  = "auto" # or "tcp" if using TCP
    traffic_weight {
      percentage      = 100
      latest_revision = true
    }
  }
}

I am currently trying to authenticate using Authenticating to Azure with the Azure CLI and will switch to Authenticating using a Service Principal with a Client Secret later on.

Error I am facing:

Error: creating Container App (Subscription: "<SUBSCRIPTION_ID>"
Resource Group Name: "<RESOURCE_GROUP_NAME>"
Container App Name: "<CONTAINER_APP_NAME>"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:

Status: "Failed"
Code: "ContainerAppOperationError"
Message: "Failed to provision revision for container app '<CONTAINER_APP_NAME>'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.<CONTAINER_NAME>.image' is invalid with details: 'Invalid value: \"<ACR_LOGIN_SERVER>/<IMAGE_NAME>:latest\": GET https:?scope=repository%3A<IMAGE_NAME>%3Apull&service=<ACR_LOGIN_SERVER>: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.."
Activity Id: ""

API Response:

----[start]----
{"id":"/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.App/locations/<LOCATION>/containerappOperationStatuses/<OPERATION_STATUS_ID>","name":"<OPERATION_STATUS_ID>","status":"Failed","error":{"code":"ContainerAppOperationError","message":"Failed to provision revision for container app '<CONTAINER_APP_NAME>'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.<CONTAINER_NAME>.image' is invalid with details: 'Invalid value: \"<ACR_LOGIN_SERVER>/<IMAGE_NAME>:latest\": GET https:?scope=repository%3A<IMAGE_NAME>%3Apull&service=<ACR_LOGIN_SERVER>: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.."},"startTime":"<TIMESTAMP>"}
-----[end]-----

with azurerm_container_app.container_app,
on main.tf line 41, in resource "azurerm_container_app" "container_app":
41: resource "azurerm_container_app" "container_app" {

creating Container App (Subscription: "<SUBSCRIPTION_ID>"
Resource Group Name: "<RESOURCE_GROUP_NAME>"
Container App Name: "<CONTAINER_APP_NAME>"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:

Status: "Failed"
Code: "ContainerAppOperationError"
Message: "Failed to provision revision for container app '<CONTAINER_APP_NAME>'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.<CONTAINER_NAME>.image' is invalid with details: 'Invalid value: \"<ACR_LOGIN_SERVER>/<IMAGE_NAME>:latest\": GET https:?scope=repository%3A<IMAGE_NAME>%3Apull&service=<ACR_LOGIN_SERVER>: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.."
Activity Id: ""

API Response:

----[start]----
{"id":"/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.App/locations/<LOCATION>/containerappOperationStatuses/<OPERATION_STATUS_ID>","name":"<OPERATION_STATUS_ID>","status":"Failed","error":{"code":"ContainerAppOperationError","message":"Failed to provision revision for container app '<CONTAINER_APP_NAME>'. Error details: The following field(s) are either invalid or missing. Field 'template.containers.<CONTAINER_NAME>.image' is invalid with details: 'Invalid value: \"<ACR_LOGIN_SERVER>/<IMAGE_NAME>:latest\": GET https:?scope=repository%3A<IMAGE_NAME>%3Apull&service=<ACR_LOGIN_SERVER>: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.."},"startTime":"<TIMESTAMP>"}
-----[end]-----

(REMOVED SENSITIVE INFORMATION)

Please remember <IMAGE_NAME> exists at <ACR_LOGIN_SERVER> with admin enabled, verified from UI.

Improve this question

2 Answers 2

Reset to default
3

The app is launching from Azure Container App, not your Terraform environment, therefore you need to provide the credentials to Azure Container App or using identity. You need to create "secret" and use "secret name" as reference.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app#registry

The authentication details must also be supplied, identity and username/password_secret_name are mutually exclusive.

These two blocks should be in azurerm_container_app resource block (like ingress and template):

...
registry {
    server               = "${azurerm_container_registry.acr.login_server}"
    username             = "${azurerm_container_registry.acr.admin_username}"
    password_secret_name = "registry-credentials"
}
secret {
  name = "registry-credentials"
  value = "${azurerm_container_registry.acr.admin_password}"
}
...

Based on your configuration, you may need identity in secret block.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

As an alternative to @ha36d's answer, try creating a role assignment assigning the AcrPull role to the Container App's principal ID:

resource "azurerm_role_assignment" "acr_pull" {
  scope                = azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_container_app.container_app.identity[0].principal_id
}

The above sample assumes you're using the system assigned identity, and that no registry blocks are set in the azurerm_container_app resource.

See Azure Container Registry roles and permissions for more details.

Improve this answer

2 Comments

I will try this also.
@HitenSamalia this approach has the added advantage of not using passwords. Keep in mind that sensitive data is visible in plain text in the Terraform state file.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.