az container create from ACR in subnet to ACI in another subnet fails with InaccessibleImage error

[stan-spotts]

Describe the bug

I'm trying to use GitHub Actions to build a container, push it to an Azure Container Registry, then create an Azure Container Instance from it. Creating the image in the ACR works just fine. But when I try to use azure container create, using the exact same registry credentials, I get the error that the container group is not accessible and "Please check the image and registry credential."

If I run the command from my laptop and the image exists I get the same error and reporting that here. Hoping, however, that someone also has a clue why it fails in GitHub Actions.

Related command

az container create -g $resGroup --name $appName --image "$acrName/$appName:6b708baf66bd1bfcf2442954aea84778df4181e1' --registry-login-server $acrName --registry-username $reg_username --registry-password $reg_password --ip-address Private --vnet $vnet --subnet $subnet --ports 443 --location eastus

Errors

cli.azure.cli.core.azclierror: (InaccessibleImage) The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential. Code: InaccessibleImage Message: The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential. az_command_data_logger: (InaccessibleImage) The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential. Code: InaccessibleImage Message: The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.

Issue script & Debug output

az container create -g $resGroup --name $appName --image "$acrName/$appName:6b708baf66bd1bfcf2442954aea84778df4181e1' --registry-login-server $acrName --registry-username $reg_username --registry-password $reg_password --ip-address Private --vnet $vnet --subnet $subnet --ports 443 --location eastus

cli.knack.cli: Command arguments: ['container', 'create', '-g', 'ContainerRegistryRg', '--name', 'integration-api', '--image', 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1', '--registry-login-server', 'cgfnscr.azurecr.io', '--registry-username', 'cgfnscr', '--registry-password', '+9EQN7xWK0Cm1aYfOYb/V+4GhJkcttnanqnc1XYj7O+ACRCmecCc', '--ip-address', 'Private', '--vnet', 'dev-container-vnet', '--subnet', 'intapi', '--ports', '443', '--location', 'eastus', '--verbose', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000229D05BB880>, <function OutputProducer.on_global_arguments at 0x00000229D0746020>, <function CLIQuery.on_global_arguments at 0x00000229D0773BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'container': ['azure.cli.command_modules.container']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: container                 0.100         1        11
cli.azure.cli.core: Total (1)                 0.100         1        11
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: Loaded 1 groups, 11 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : container create
cli.azure.cli.core: Command table: container create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000229D1EEEE80>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\stanadm\.azure\commands\2024-05-03.10-41-42.container_create.32052.log'.
az_command_data_logger: command args: container create -g {} --name {} --image {} --registry-login-server {} --registry-username {} --registry-password {} --ip-address {} --vnet {} --subnet {} --ports {} --location {} --verbose --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x00000229D1F393A0>]
cli.knack.commands: Configured default 'ContainerRegistryRg' for arg resource_group_name
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x00000229D1F39440>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x00000229D1F39580>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000229D07460C0>, <function CLIQuery.handle_query_parameter at 0x00000229D0773C40>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x00000229D1F394E0>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ContainerInstanceManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\stanadm\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\stanadm\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 33b24e83-4915-452e-899a-9ccc1a2e60d9
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.Network/virtualNetworks/dev-container-vnet/subnets/intapi?api-version=2022-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '42177c36-095b-11ef-a91e-286b357b0b7d'
cli.azure.cli.core.sdk.policies:     'CommandName': 'container create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-g --name --image --registry-login-server --registry-username --registry-password --ip-address --vnet --subnet --ports --location --verbose --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.59.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.19045-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.Network/virtualNetworks/dev-container-vnet/subnets/intapi?api-version=2022-01-01 HTTP/1.1" 200 2041
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '2041'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'ETag': 'W/"8f935538-fe97-41c4-ae1c-0db816e8b577"'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '332b6b64-a90b-4ba9-b9ed-dbdd9611ba84'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '26d445f8-ea2d-4df5-ad99-7e25de62739d'
cli.azure.cli.core.sdk.policies:     'x-ms-arm-service-request-id': 'dff5de73-fbeb-4f64-838c-ea897037e864'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '11999'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'EASTUS:20240503T144143Z:26d445f8-ea2d-4df5-ad99-7e25de62739d'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 60E1B0CE7A3F4DD88CC06C56476E1A94 Ref B: MNZ221060608045 Ref C: 2024-05-03T14:41:43Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 03 May 2024 14:41:42 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "name": "intapi",
  "id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.Network/virtualNetworks/dev-container-vnet/subnets/intapi",
  "etag": "W/\"8f935538-fe97-41c4-ae1c-0db816e8b577\"",
  "properties": {
    "provisioningState": "Succeeded",
    "addressPrefix": "10.5.0.64/29",
    "serviceAssociationLinks": [
      {
        "name": "acisal",
        "id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.Network/virtualNetworks/dev-container-vnet/subnets/intapi/serviceAssociationLinks/acisal",
        "etag": "W/\"8f935538-fe97-41c4-ae1c-0db816e8b577\"",
        "type": "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks",
        "properties": {
          "provisioningState": "Succeeded",
          "linkedResourceType": "Microsoft.ContainerInstance/containerGroups",
          "enabledForArmDeployments": false,
          "allowDelete": true,
          "locations": [
            "eastus"
          ]
        }
      }
    ],
    "serviceEndpoints": [],
    "delegations": [
      {
        "name": "Microsoft.ContainerInstance/containerGroups",
        "id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.Network/virtualNetworks/dev-container-vnet/subnets/intapi/delegations/Microsoft.ContainerInstance/containerGroups",
        "etag": "W/\"8f935538-fe97-41c4-ae1c-0db816e8b577\"",
        "properties": {
          "provisioningState": "Succeeded",
          "serviceName": "Microsoft.ContainerInstance/containerGroups",
          "actions": [
            "Microsoft.Network/virtualNetworks/subnets/action"
          ]
        },
        "type": "Microsoft.Network/virtualNetworks/subnets/delegations"
      }
    ],
    "privateEndpointNetworkPolicies": "Disabled",
    "privateLinkServiceNetworkPolicies": "Enabled"
  },
  "type": "Microsoft.Network/virtualNetworks/subnets"
}
cli.azure.cli.command_modules.container.custom: Using existing subnet "intapi" in resource group "ContainerRegistryRg"
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ContainerInstanceManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 9bceb2cb-83b7-432f-bd9e-1f3187fa328e
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.ContainerInstance/containerGroups/integration-api?api-version=2023-05-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '824'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '42177c36-095b-11ef-a91e-286b357b0b7d'
cli.azure.cli.core.sdk.policies:     'CommandName': 'container create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-g --name --image --registry-login-server --registry-username --registry-password --ip-address --vnet --subnet --ports --location --verbose --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.59.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.19045-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"containers": [{"name": "integration-api", "properties": {"image": "cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1", "ports": [{"protocol": "TCP", "port": 443}], "resources": {"requests": {"memoryInGB": 1.5, "cpu": 1.0}}}}], "imageRegistryCredentials": [{"server": "cgfnscr.azurecr.io", "username": "cgfnscr", "password": "+9EQN7xWK0Cm1aYfOYb/V+4GhJkcttnanqnc1XYj7O+ACRCmecCc"}], "restartPolicy": "Always", "ipAddress": {"ports": [{"protocol": "TCP", "port": 443}], "type": "Private", "autoGeneratedDomainNameLabelScope": "Unsecure"}, "osType": "Linux", "subnetIds": [{"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.Network/virtualNetworks/dev-container-vnet/subnets/intapi"}]}, "location": "eastus", "tags": {}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ContainerRegistryRg/providers/Microsoft.ContainerInstance/containerGroups/integration-api?api-version=2023-05-01 HTTP/1.1" 400 242
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '242'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-resource-requests-pt5m': '99'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-resource-requests-pt1h': '298'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'eastus:2c34561b-d7d7-4b32-914d-2cd97eb9f8c4'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '4014e421-7fa4-4cb6-9583-2be6018d3d8b'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'EASTUS2:20240503T144144Z:4014e421-7fa4-4cb6-9583-2be6018d3d8b'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 71CAD3AE592E4DFDA9159BA0CEDEAE82 Ref B: MNZ221060619051 Ref C: 2024-05-03T14:41:43Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 03 May 2024 14:41:43 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"InaccessibleImage","message":"The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential."}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/container/custom.py", line 269, in create_container
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 710, in sdk_no_wait
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/containerinstance/operations/_container_groups_operations.py", line 798, in begin_create_or_update
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/containerinstance/operations/_container_groups_operations.py", line 660, in _create_or_update_initial
azure.core.exceptions.HttpResponseError: (InaccessibleImage) The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.
Code: InaccessibleImage
Message: The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.

cli.azure.cli.core.azclierror: (InaccessibleImage) The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.
Code: InaccessibleImage
Message: The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.
az_command_data_logger: (InaccessibleImage) The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.
Code: InaccessibleImage
Message: The image 'cgfnscr.azurecr.io/integration-api:6b708baf66bd1bfcf2442954aea84778df4181e1' in container group 'integration-api' is not accessible. Please check the image and registry credential.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000229D1EEF100>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.826 seconds (init: 0.246, invoke: 1.580)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4239 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\stanadm\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

I expected the container instance would be created

Environment Summary

azure-cli                         2.59.0 *

core                              2.59.0 *
telemetry                          1.1.0

Extensions:
ssh                                2.0.2

Dependencies:
msal                              1.27.0
azure-mgmt-resource             23.1.0b2

Additional context

The ACR is in a subnet (10.5.0.0/27) which has a private endpoint configured. The ACI is to be deployed to another subnet (10.5.0.64/29) which doesn't yet have a private endpoint (it will, and the API's will be exposed via APIM) and is delegated to Microsoft.ContainerInstance/containerGroups.

FWIW. the github workflow yaml is this, and the first part does indeed deploy to the container and as you can see uses the same credentials as specified in the az container create call. Using az call directly as the github action is woefully outdated and not being actively worked on, doesn't support vnet, subnet, etc.

name: Build and deploy Integration API code to ACR->ACI
on: 
    workflow_dispatch:
    #[push]

env:
  location: eastus
  image_name: integration-api
  vnet: dev-container-vnet
  subnet: intapi

  # if we need storage for container, add name of storage account in variable
  # storage_account_name: devcs1234567

permissions:
  id-token: write
  contents: read

jobs:
    build:
        name: 'Build Container and push to Container Registry'
        runs-on: LinuxRunner

        steps:

        # checkout the repo
        - name: 'Checkout GitHub Repo'
          uses: actions/checkout@main

        - name: 'Login via Azure CLI'
          uses: azure/login@v2
          with:
            creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'

        - name: 'Build and push image'
          uses: docker/login-action@v3
          with:
            registry: ${{ secrets.REGISTRY_LOGIN_SERVER }}
            username: ${{ secrets.REGISTRY_USERNAME }}
            password: ${{ secrets.REGISTRY_PASSWORD }}

        - run: |
            docker build . -t ${{ secrets.REGISTRY_LOGIN_SERVER }}/${{ env.image_name }}:${{ github.sha }}
            docker push ${{ secrets.REGISTRY_LOGIN_SERVER }}/${{ env.image_name }}:${{ github.sha }}

    deploy:
        name: 'Deploy to Azure Container Instances'
        runs-on: LinuxRunner
        needs: build
        steps:
           #     # log into Azure
           - name: "Login via Azure CLI"
             uses: azure/login@v2
             with:
               creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'

           # Attempt at using Azure CLI command to deploy to ACI       
           - name: 'Create Application API in ACI'           
             run: |
               az container create -g ${{ secrets.RESOURCE_GROUP }} \
                 --name ${{ env.image_name }} --image ${{ secrets.REGISTRY_LOGIN_SERVER }}/${{ env.image_name }}:${{ github.sha }} \
                 --registry-login-server ${{ secrets.REGISTRY_LOGIN_SERVER }} \
                 --registry-username ${{ secrets.REGISTRY_USERNAME }} \
                 --registry-password ${{ secrets.REGISTRY_PASSWORD }} \
                 --location ${{ env.location }} \
                 --ports 443 \
                 --ip-address Private \
                 --vnet ${{ env.vnet }} \
                 --subnet ${{ env.subnet }} \
                 --verbose

[azure-client-tools-bot-prd[bot]]

Hi @stan-spotts,

2.59.0 is not the latest Azure CLI(2.60.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[azure-client-tools-bot-prd[bot]]

Hi @stan-spotts Find similar issue https://github.com/Azure/azure-cli/issues/18596.
Issue title	Azure Pipeline issue with AzureCLI Task failing when accessing Container Group
Create time	2021-06-22
Comment number	3

---

Please confirm if this resolves your issue.

[yonzhan]

Thank you for opening this issue, we will look into it.

[stan-spotts]

Hi @stan-spotts,

2.59.0 is not the latest Azure CLI(2.60.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

Same error with 2.60.0

azure-cli                         2.60.0

core                              2.60.0
telemetry                          1.1.0

Extensions:
ssh                                2.0.3

Dependencies:
msal                              1.28.0
azure-mgmt-resource             23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\stanadm\.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

[Subham0793]

@stan-spotts is your issue resolved? i am also getting the same error when i am trying to create azure container instances using yaml file , Please check the image and registry credential

[stan-spotts]

@Subham0793 No, it never worked. I gave up on it. The image worked fine to push to an Azure App Service in a GitHub Action, btw, using same credentials for ACR access.