Azure Container Instances Python API - fails to fetch image from Azure Container Registry

0
votes

Based on this guide I wrote this sample code which works for the default image ("microsoft/aci-helloworld"), but fails when changing to an image from an Azure Container Registry in my azure subscription.

The error message is:

 The image 'mytest.azurecr.io/myimage:latest' in container group '' is not accessible. Please check the image and registry credential.

I found this similar SO thread but the sample code already uses the solution from that question (using file based auth).

I've also tried my image name with/without the ":latest" suffix, and made sure that a "docker pull mytest.azurecr.io/myimage:latest" succeeds.

Edit: Adding ACR screenshot:

enter image description here

Note: I've also tried the C# code sample (according to the similar SO thread), and received the same error. I'm probably missing something that's configuration related. How do I allow the service principal to have access to the ACR? I created the principal according to the guide:

az ad sp create-for-rbac --sdk-auth > my.azureauth

Does this mean this service principal should have access to any ACR in the same subscription?

2
pythonazureazure-container-instancesazure-container-registry
As I know, the image is not accessible only in the state that the image is not in the container registry. Can you share the screenshot of the ACR repository?Charles Xu
I shared a screenshot, tyTom
Any updates? Does it solve your problem? If it works for you please accept it.Charles Xu
I'm sorry, your answer didn't solve my problem. As for the status, I managed to get it to work in C#. The reason it didn't work for me in C# is that I didn't use the ACR's credentials. I.e. I had to invoke WithPrivateImageRegistry(acrUrl, user, password). I've since continued with the C# code, I may get back to the python code some time in the future. I'm guessing that it's the same issue with the python code, i.e. I'm not giving the ACR's credentials to the API. Since I'm on a very tight schedule I haven't had the time to seek and test the matching python API.Tom

2 Answers

2
votes

The missing part was adding the ACR's credentials. The fixed code looks like so (you have tot set the server, username and password in the ImageRegistryCredential instance):

        credentials = [ImageRegistryCredential(server='myregistry.azurecr.io', username='acr_username', password='acr_password')]

        group = ContainerGroup(location=resource_group.location,
                containers=[container],
                os_type=OperatingSystemTypes.linux,
                ip_address=group_ip_address,
                image_registry_credentials=credentials)
1
votes

According to my experience, the error you got caused by the wrong image name, it indicates that the image cannot be found in the ACR. AS the screenshot shows, the image name must be xxxtestaci.azurecr.io/tempxxx:latest or xxxtestaci.azurecr.io/tempxxx. It's also easy to reproduce the error:

enter image description here

And for the credential of the ACR, you can follow the steps in Azure Container Registry authentication with service principals. But if you use only one service principal both on creating the resources and pull the image from ACR, I suggest you grant the service principal with the Contributor role.

Does this mean this service principal should have access to any ACR in the same subscription?

In default, the CLI command az ad sp create-for-rbac uses the default parameter --role Contributor. So yes, it has the access to any ACR in the same subscription.