Starting a container instance from Python SDK - problems with permissions

Question

I am trying to run a docker container on Azure from my container registry. With the CLI, it works beautifully through:

az login
az container create -g RESOURCE-GROUP --name INSTANCE-GROUP --image workers.azurecr.io/MY-IMAGE:latest --registry-username USERNAME --registry-password PSWD

However, I just can't seem to get it working in python (code below). I get the following error:

Code: InaccessibleImage
Message: The image 'MY-ACR.azurecr.io/MY-IMAGE:latest' in container group 'INSTANCE-GROUP' is not accessible. Please check the image and registry credential.

I have created an application in Azure, and set the corresponding AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET as environmental variables. The app has both Contributor and AcrPull roles in the correct resource group. Does anyone know why I can't seem to get access?

Python code:

from azure.identity import DefaultAzureCredential
from azure.mgmt.containerinstance import ContainerInstanceManagementClient
from azure.mgmt.containerinstance.models import (
    ContainerGroup,
    Container,
    EnvironmentVariable,
    ResourceRequests,
    ResourceRequirements,
)

# Replace these values with your own
subscription_id = "..."
resource_group_name = "..."
aci_name = "..."
acr_name = "..."
acr_username = "..."
acr_password = "..."
image = MY-ACR.azurecr.io/MY-IMAGE:latest"
cpu_cores = 1.0
memory_in_gb = 1.5
location = "North Europe"

# Create the credential object
credential = DefaultAzureCredential()

# Create the ACI management client
client = ContainerInstanceManagementClient(credential, subscription_id)


# Create the container group definition
env_vars = [
    EnvironmentVariable(name="KEY", value="VAL"),
]

# set memory and cpu
container_resource_requests = ResourceRequests(memory_in_gb=memory_in_gb, cpu=cpu_cores)
container_resource_requirements = ResourceRequirements(
    requests=container_resource_requests
)

container = Container(
    name=aci_name,
    image=image,
    resources=container_resource_requirements,
    environment_variables=env_vars,
)

# Create the container group
container_group = ContainerGroup(
    location=location,
    containers=[container],
    os_type="Linux",
    restart_policy="Always",
)

client.container_groups.begin_create_or_update(
    resource_group_name, aci_name, container_group
)

score 1 · Accepted Answer · answered Mar 06 '23 at 07:31

I tried in my environment and got below results:

Initially, I tried with the same code mentioned in the query and got the same error:

enter image description here

The above error indicates that the container instance is unable to access the specified image in the Azure Container Registry (ACR) because it is either not available or the credentials used to access the registry are incorrect.

In same code, I added imageregistrycredentials to authenticate with image. After adding it created container group and executed successfully.

Code:

from azure.identity import DefaultAzureCredential
from azure.mgmt.containerinstance import ContainerInstanceManagementClient
from azure.mgmt.containerinstance.models import (ContainerGroup,
                                                 Container,
                                                 ContainerGroupNetworkProtocol,
                                                 ImageRegistryCredential,
                                                 ContainerPort,
                                                 IpAddress,
                                                 Port,
                                                 ResourceRequests,
                                                 ResourceRequirements)
subscription_id="<Your subscription id>"
resource_group_name = "your resource grp name"
container_group_name="your_conatiner_group_name"
location="location"
credential=DefaultAzureCredential()
container_client = ContainerInstanceManagementClient(credential,subscription_id)
container_image_name = "your image name"
user_name = "username"
password= "password"
    # Configure the container
container_resource_requests = ResourceRequests(memory_in_gb=1, cpu=1.0)
container_resource_requirements = ResourceRequirements(requests=container_resource_requests)
container = Container(name=container_group_name,image=container_image_name,resources=container_resource_requirements,ports=[ContainerPort(port=80)])

imagecredentials= ImageRegistryCredential(server="registry.azurecr.io",username=user_name,password=password)
container_group= ContainerGroup(location=location,containers=[container], os_type="linux",restart_policy="Always",image_registry_credentials=[imagecredentials])
    # Create the container group
container_client.container_groups.begin_create_or_update(resource_group_name,container_group_name,container_group)
print("Container Group is created")

Output:

enter image description here

Portal:

enter image description here

Reference:

How to create new container group in azure vnet using python - Stack Overflow by Ansuman Bal.

Starting a container instance from Python SDK - problems with permissions

1 Answers1