我正在尝试使用 terraform 设置 ACI,但正如标题所示,它似乎无法访问 ACR 注册表。
│ Error: creating Container Group (Subscription: "redacted"
│ Resource Group Name: "myresourcegoup"
│ Container Group Name: "mycontainergroup): performing ContainerGroupsCreateOrUpdate: containerinstance.ContainerInstanceClient#ContainerGroupsCreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InaccessibleImage" Message="The image 'mycompany.azurecr.io/myimage:latest' in container group 'mycontainergroup' is not accessible. Please check the image and registry credential."
这是一个重现它的最小示例:
resource "azurerm_container_group" "generic" {
name = local.aci_name
location = var.location
resource_group_name = "myresourcegroup"
os_type = "Linux"
ip_address_type = "None" # Specifies that no IP is assigned
identity {
type = "UserAssigned"
# real deal has the identity coming from previous steps but fails even like this
identity_ids = ["/subscriptions/redacted/resourceGroups/myresourcegrouo/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity"]
}
container {
name = local.aci_name
image = "mycompany.azurecr.io/myimage:latest"
cpu = "0.5"
memory = "1.5"
}
# No ports block needed since no network access is required
}
我尝试过/检查过的事情包括但不限于:
docker pull
AcrPull
Owner
权限时,它也会失败InaccessibleImage
错误。经典,与此斗争了很长时间,然后几乎立即偶然发现了解决方案。
显然原因是它没有使用给定的身份来向 ACR 进行身份验证,但这样做就成功了:
image_registry_credential {
server = "mycompany.azurecr.io"
user_assigned_identity_id = var.identity_resource_id
}