Failed to pull image “xx.azurecr.io/xx:latest”: rpc error: code = Unknown desc = Error response from daemon: unauthorized: authentication required

问题

My ACR and AKS are on same Azure Directory with same subscription.

After giving ACR Pull access to my Service Principal, nothing worked and still getting this error.

Error :- Failed to pull image "xx.azurecr.io/xx:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://xx.azurecr.io/v2/xx/manifests/latest: unauthorized: authentication required

screenshot of dashboard

回答1:

From the error message, it shows you do not authenticate to pull the image in your Azure Container Registry.

For AKS, there are two ways to get permission to pull the image from the Azure Container Registry.

One is that grant the permission to the service principal which AKS cluster used. You can get the details in Grant AKS access to ACR. In this way, you just need only one service principal.

The other one is that grant the permission to a new service principal which differs from the one that AKS used. Then you create a secret with the service principal to pull the image. You can get the details in Access with Kubernetes Secret.

They are two different ways, so you should make sure that there is no mistake in your steps. To check the role assignment for the service principal, the CLI command like this:

az role assignment list --assignee $SP_ID --role acrpull --scope $ACR_ID

The SP_ID dependants on the way which you have used.

回答2:

The service principal the cluster was running as, is not the principal that i thought it was.To check that please follow below steps.

1. Run the command "az aks show -n aks-cluster-name -g resource-group-name | grep client"

2. Run the commad "az ad sp credential list --id " -- This command is to check if the secret associated.

3. Login to azure portal.

4. Navigate to Azure Container Registry

5. IAM --> View Role Assignment --> Check if the Client ID is existing in the list with minimum of "AcrPull" access. If not grant access to the SP.

Please check in the YAML that if we seeing the correct authentication or not.

回答3:

We had a different reason for this error: by default, the service principal created with AKS clusters expires after a year. The instructions on https://docs.microsoft.com/en-us/azure/aks/update-credentials show how to update or create a new principal.

来源：https://stackoverflow.com/questions/55574059/failed-to-pull-image-xx-azurecr-io-xxlatest-rpc-error-code-unknown-desc