Azure
ContainerApp create private registry access not possible
- Package Name: azure.mgmt.appcontainers
- Package Version: 3.0.0
- Operating System: MacOS
- Python Version: 3.11
Describe the bug The access to any private registry is not possible
To Reproduce Steps to reproduce the behavior:
import os
from azure.identity import ClientSecretCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
def main():
# get the environment variables
tenant_id = os.environ.get("AZURE_TENANT_ID")
client_id = os.environ.get("AZURE_CLIENT_ID")
client_secret = os.environ.get("AZURE_CLIENT_SECRET")
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID")
environment_resource_group = os.environ.get("CONTAINERENV_RESOURCE_GROUP")
container_resource_group = os.environ.get("CONTAINER_RESOURCE_GROUP")
container_environment = os.environ.get("CONTAINER_ENVIRONMENT")
container_app_name = os.environ.get("CONTAINER_APP_NAME")
container_image = os.environ.get("CONTAINER_IMAGE")
container_registry = os.environ.get("CONTAINER_REGISTRY") # location of the container registry
container_registry_username = os.environ.get("CONTAINER_REGISTRY_USERNAME") # username of the container registry
container_registry_password = os.environ.get("CONTAINER_REGISTRY_PASSWORD") # password of the container registry
# location of the container app or default location
location = os.environ.get("LOCATION", "westeurope")
# Authentication with service principal
credential = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)
# initialize the container apps client
client = ContainerAppsAPIClient(credential, subscription_id)
# create or update the container app
print(f"Creat or update '{container_app_name}' in Resource Group '{container_resource_group}'.")
response = client.container_apps.begin_create_or_update(
resource_group_name=container_resource_group,
container_app_name=container_app_name,
container_app_envelope={
"location": location,
"properties": {
"configuration": {
"ingress": {
"external": True,
"targetPort": 80,
"transport": "http"
}
},
"environmentId": f"/subscriptions/{subscription_id}/resourceGroups/{environment_resource_group}/providers/Microsoft.App/managedEnvironments/{container_environment}",
"template": {
"containers": [
{
"image": f"ghcr.io/mynamespace/mycontainer:latest",
"registries": [
{
"username": container_registry_username,
"passwordSecretRef": "ghcrpassword",
"server": "ghcr.io"
}
],
"name": container_app_name,
"resources": {
"cpu": 0.25,
"memory": ".5Gi"
}
}
],
"secrets": [
{
"name": "ghcrpassword",
"value": container_registry_password
}
]
}
}
}
).result()
print(response)
# get the url of the container app
container_app = client.container_apps.get(
resource_group_name=container_resource_group,
container_app_name=container_app_name,
)
print(f"Container App '{container_app_name}' is reachable under the following url: {container_app.properties.endpoint}")
if __name__ == "__main__":
main()
The error is always:
Creat or update 'myapp1' in Resource Group 'rg-myapp1-production-container-001'.
Traceback (most recent call last):
File "/Users/xyz/Development/MyAppRun/main.py", line 84, in <module>
main()
File "/Users/xyz/Development/MyAppRun/main.py", line 33, in main
response = client.container_apps.begin_create_or_update(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/lib/python3.11/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/lib/python3.11/site-packages/azure/mgmt/appcontainers/operations/_container_apps_operations.py", line 860, in begin_create_or_update
raw_result = self._create_or_update_initial(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/lib/python3.11/site-packages/azure/mgmt/appcontainers/operations/_container_apps_operations.py", line 721, in _create_or_update_initial
raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'template.containers.myapp1.image' is invalid with details: 'Invalid value: "mynamespace/mycontainer:latest": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:mynamespace/mycontainer Type:repository]]';.
Code: InvalidParameterValueInContainerTemplate
Message: The following field(s) are either invalid or missing. Field 'template.containers.myapp1.image' is invalid with details: 'Invalid value: "mynamespace/mycontainer:latest": GET https:: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:mynamespace/mycontainer Type:repository]]';.
Expected behavior The authentication against the registry is working.
Additional context We tried various versions of the code above but nothing worked.
Hi @DominicBoettger, have you tried to follow the https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal to assign access roles for you service principal that used for credential?
Hi @DominicBoettger. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @DominicBoettger, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!