Docker fails to pull the image from within Azure App Service

App service started pulling after doing these steps for me. :D

1. Enable Admin Access in Azure Container Registry
2. In the App service configuration, provide container registry admin credentialsDOCKER_REGISTRY_SERVER_PASSWORD(admin enabled password),DOCKER_REGISTRY_SERVER_USERNAME(crxxxxxx),DOCKER_REGISTRY_SERVER_URL (https://crxxxxxx.azurecr.io)
3. Go to your app service and select identity section on the left, and click on system assigned - change status to On.
4. Now go to IAM Control container registry, add ACR pull role to App Service system assigned identity enabled on step 3.
5. Restart your App Service and wait .Changes will take few minutes to reflect so refresh your logs. (10 minutes or more)

Good luck :)

From the message I got of the talk, let me solve your puzzle about the error.

I guess you deploy the image in ACR to the Web App through the Azure portal. When you use the Azure portal to deploy the Web App from the ACR, it only lets you select the ACR and image and tag, but do not let you set the credential. In this way, Azure will set it itself with the admin user and password if you enable the admin user. If you do not enable it, the error you got happens.

And if you want to use the service principal, I recommend you use the other tools, such as Azure CLI. Then you can set the docker registry credential yourself with the command az webapp config container set.

Here is the example and it works fine on my side:

With the Azure CLI, you can follow the steps here.

Update:

Here are the screenshots of the test on my side:

After a lot of research I figured out a way to resolve this without enabling Admin user

1. Create an app registration using Azure Active Directory and store the secret somewhere.
2. Go to the Azure container registry and add role assignment to this newly created app with permissions of AcrPush (which also contains AcrPull).

3. In the App service configuration, replace the variables .

DOCKER_REGISTRY_SERVER_PASSWORD with Client Secret of app registration which was saved in the first stepDOCKER_REGISTRY_SERVER_USERNAME with client Id of App registration

This should solve the Docker Api exception.

It's baffling that this is not mentioned in any Azure Container Registry documentation. Although I think it is mentioned somewhere in AAD documentation indirectly 😐.