Reputation: 83
Failed to pull image "xx.azurecr.io/xx:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: authentication required
My ACR and AKS are on same Azure Directory with same subscription.
After giving ACR Pull access to my Service Principal, nothing worked and still getting this error.
Error :- Failed to pull image "xx.azurecr.io/xx:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://xx.azurecr.io/v2/xx/manifests/latest: unauthorized: authentication required
Upvotes: 4
Views: 8721
Answers (3)
Reputation: 69
We had a different reason for this error: by default, the service principal created with AKS clusters expires after a year. The instructions on https://learn.microsoft.com/en-us/azure/aks/update-credentials show how to update or create a new principal.
Upvotes: 1
Reputation: 319
The service principal the cluster was running as, is not the principal that i thought it was.To check that please follow below steps.
Run the command "az aks show -n aks-cluster-name -g resource-group-name | grep client"
Run the commad "az ad sp credential list --id " -- This command is to check if the secret associated.
Login to azure portal.
Navigate to Azure Container Registry
IAM --> View Role Assignment --> Check if the Client ID is existing in the list with minimum of "AcrPull" access. If not grant access to the SP.
Please check in the YAML that if we seeing the correct authentication or not.
Upvotes: 0
Reputation: 31454
From the error message, it shows you do not authenticate to pull the image in your Azure Container Registry.
For AKS, there are two ways to get permission to pull the image from the Azure Container Registry.
One is that grant the permission to the service principal which AKS cluster used. You can get the details in Grant AKS access to ACR. In this way, you just need only one service principal.
The other one is that grant the permission to a new service principal which differs from the one that AKS used. Then you create a secret with the service principal to pull the image. You can get the details in Access with Kubernetes Secret.
They are two different ways, so you should make sure that there is no mistake in your steps. To check the role assignment for the service principal, the CLI command like this:
az role assignment list --assignee $SP_ID --role acrpull --scope $ACR_ID
The SP_ID dependants on the way which you have used.
Upvotes: 3
Related Questions
- AKS. Can't pull image from an acr
- Getting "unauthorized: authentication required" when pulling ACR images from Azure Kubernetes Service
- Failed to pull image - unauthorized: authentication required (ImagePullBackOff )
- Cannot pull image in WebApp from ACR with private endpoint enabled
- Error Pulling image from ACR in Azure Function
- I can´t pull image from azure ACR
- Unable to pull new image with AKS and ACR
- Azure Kubernetes Service: Image Pull Error (Authentication) even though ImagePullSecret was added in CD pipeline
- Azure App Service Error while pulling image from ACR using KeyVault (Terraform)
- Failed to pull image myapidemodocker.azurecr.io/apidemo:v4.0: rpc error: code = Unknown desc = unknown blob