Azure Container Instance fails to pull ACR images using User-Assigned Managed Identity (Terraform)

Question

Azure Container Instance fails to pull ACR images using User-Assigned Managed Identity (Terraform)

Matheus Gomes 0

I’m trying to create an Azure Container Instance (ACI) container group using Terraform and a User-Assigned Managed Identity (UAMI) for pulling images from a private Azure Container Registry (ACR).

The managed identity was created via Azure CLI and has the AcrPull role assigned. However, container group creation fails with InaccessibleImage.

Environment

Azure Container Instances
Private Azure Container Registry
User-Assigned Managed Identity (created via az identity create)
Terraform azurerm_container_group
No explicit image_registry_credential (expecting MI-based auth)

Managed Identity setup

az identity create \
  --name acr-pull-identity \
  --resource-group identity-rg

az role assignment create \
  --assignee <principal-id> \
  --scope /subscriptions/<sub-id>/resourceGroups/registry-rg/providers/Microsoft.ContainerRegistry/registries/myregistry \
  --role AcrPull

Terraform data source:

data "azurerm_user_assigned_identity" "acr_pull" {
  name                = "acr-pull-identity"
  resource_group_name = "identity-rg"
}
resource "azurerm_container_group" "example" {
  name                = "example-aci"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  os_type             = "Linux"
  container {
    name   = "app"
    image  = "myregistry.azurecr.io/library/nginx:latest"
    cpu    = 0.5
    memory = 0.5
    ports {
      port     = 80
      protocol = "TCP"
    }
  }
  identity {
    type         = "UserAssigned"
    identity_ids = [data.azurerm_user_assigned_identity.acr_pull.id]
  }
}

Error when running terraform apply

Error: creating Container Group:
unexpected status 400 (Bad Request) with error:
'BadRequest':'InaccessibleImage':
The image 'myregistry.azurecr.io/library/nginx:latest'
is not accessible. Please check the image and registry credential.

This occurs for all images pulled from the private ACR.

What I’ve verified

Image exists in ACR

Managed identity has AcrPull role on the registry

Identity ID resolves correctly in Terraform

Images pull successfully when using ACR admin credentials

Fails only when relying on managed identity

Questions

Is AcrPull alone sufficient for ACI + User-Assigned Managed Identity?

Are there known limitations or delays when using pre-existing UAMIs with ACI?

Is image_registry_credential still required even when using managed identity?

0 comments

2 answers

Your answer

Answer 1

Jilakara Hemalatha 11,700 Microsoft External Staff Moderator

Hi Matheus Gomes

Thanks for reaching out Q/A, it looks like you're running into an issue with creating an Azure Container Instance (ACI) that pulls images from a private Azure Container Registry (ACR) using a User-Assigned Managed Identity (UAMI). The "InaccessibleImage" error can be a bit tricky. Here are some things to keep in mind and steps you can take to troubleshoot:

Role Assignment: Ensure that your User-Assigned Managed Identity has the AcrPull role assigned to the correct ACR scope. From your command, it seems you've set this up, but it might be worth double-checking that the role is correctly associated with the right <principal-id> and the ACR resource ID.
Managed Identity Configuration: Make sure that the User-Assigned Managed Identity is correctly attached to the ACI. In your Terraform config, it looks like you are doing this correctly: identity { type = "UserAssigned" identity_ids = [data.azurerm_user_assigned_identity.acr_pull.id]
Private DNS Zone: If your ACR is behind a private endpoint, ensure that your ACI can resolve the DNS for the private endpoint. This might require proper networking setup.
Image Availability: Since you confirmed that the image exists in ACR, double-check the image name and tag you're referencing is correct.
Deploying using the right API version: Ensure you're using an appropriate ACI API version that supports managed identity for authentication (2021-07-01 or later).

For more detailed guidance, please find below documentations.

Hope this helps! Please let me know if you have any queries.

Jilakara Hemalatha 11,700 Reputation points Microsoft External Staff Moderator

2025-12-20T01:03:37.8066667+00:00

Hi Matheus Gomes

Just checking if above provided information was helpful! please let me know if you have any queries.
Matheus Gomes 0 Reputation points

2025-12-22T12:42:08.5633333+00:00

Hi, @Jilakara Hemalatha all the steps seem correct, but I am unsure how to verify step 5 since I'm using Terraform (provider hashicorp/azurerm version 4.11.0).

I would like to point out one more thing. I read in this document that one of the requirements for this to work is having a premium SKU for the Azure Container Registry, but we are currently using the Standard SKU. Does that make sense, or did I misunderstand something?
Jilakara Hemalatha 11,700 Reputation points Microsoft External Staff Moderator

2025-12-22T13:50:29.74+00:00

Regarding the API version check — since you're using Terraform with the azurerm provider (v4.11.0), you don’t need to verify anything manually. Terraform automatically uses an ACI API version that already supports User‑Assigned Managed Identity for ACR image pulls.

Regarding the documentation you mentioned: the Premium ACR requirement applies only when the registry is configured with a Private Endpoint. For managed identity–based image pulls from an ACR using the public endpoint, the Standard SKU is supported and sufficient.
Jilakara Hemalatha 11,700 Reputation points Microsoft External Staff Moderator

2025-12-23T16:36:23.88+00:00

Hi Matheus Gomes

Could you please confirm, if your query was resolved! Please let me know if you have any queries.
Matheus Gomes 0 Reputation points

2025-12-31T15:01:20.24+00:00

Hi, Jilakara! As replied to you in the DM, I've checked all the instructions you provided, but nothing seems to be different from my current state.
Jilakara Hemalatha 11,700 Reputation points Microsoft External Staff Moderator

2025-12-31T22:06:20.9766667+00:00

Hi Matheus Gomes

Checking on this. Could you please provide necessary details asked in private message.

Answer 2

To address your questions regarding the Azure Container Instance (ACI) and User-Assigned Managed Identity (UAMI) setup for pulling images from a private Azure Container Registry (ACR):

Is AcrPull alone sufficient for ACI + User-Assigned Managed Identity?
Yes, the AcrPull role is necessary for the managed identity to pull images from the ACR. However, ensure that the managed identity is correctly assigned to the ACR and that there are no additional network restrictions that might prevent access.
Are there known limitations or delays when using pre-existing UAMIs with ACI?
There are limitations with Windows containers, which do not support system-assigned managed identity-authenticated image pulls with ACR; only user-assigned identities are supported. Additionally, ensure that the managed identity is properly configured and that the ACI is using the correct API version.
Is image_registry_credential still required even when using managed identity?
When using a managed identity, you typically do not need to specify image_registry_credential. The managed identity should handle authentication automatically, provided it has the correct permissions and is configured properly.

If you continue to face issues, verify that the managed identity is assigned correctly and that there are no firewall rules or private endpoint configurations that might be blocking access to the ACR.

References:

Share via

Azure Container Instance fails to pull ACR images using User-Assigned Managed Identity (Terraform)

Environment

Managed Identity setup

What I’ve verified

Questions

2 answers

Your answer