Failed to pull image "xx.azurecr.io/xx:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: authentication required

failed to pull image unauthorized: authentication required
kubernetes pre pull image
kubernetes image pull policy
kubectl pull image
failed to pull image rpc error: code = unknown desc unexpected eof
helm imagepullsecrets
kubectl list images
kubernetes pull local image

My ACR and AKS are on same Azure Directory with same subscription.

After giving ACR Pull access to my Service Principal, nothing worked and still getting this error.

Error :- Failed to pull image "xx.azurecr.io/xx:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://xx.azurecr.io/v2/xx/manifests/latest: unauthorized: authentication required

screenshot of dashboard

From the error message, it shows you do not authenticate to pull the image in your Azure Container Registry.

For AKS, there are two ways to get permission to pull the image from the Azure Container Registry.

One is that grant the permission to the service principal which AKS cluster used. You can get the details in Grant AKS access to ACR. In this way, you just need only one service principal.

The other one is that grant the permission to a new service principal which differs from the one that AKS used. Then you create a secret with the service principal to pull the image. You can get the details in Access with Kubernetes Secret.

They are two different ways, so you should make sure that there is no mistake in your steps. To check the role assignment for the service principal, the CLI command like this:

az role assignment list --assignee $SP_ID --role acrpull --scope $ACR_ID

The SP_ID dependants on the way which you have used.

kubernetes cannot pull local image, Run eval $(minikube docker-env) before building your image. It will never look for the registry to pull the image and will fail if image is not  1) You have to run eval $(minikube docker-env). 2) Build the image with the Docker daemon of Minikube. docker build -t collection . 3) Set the image in the pod spec like the build tag - collection

We had a different reason for this error: by default, the service principal created with AKS clusters expires after a year. The instructions on https://docs.microsoft.com/en-us/azure/aks/update-credentials show how to update or create a new principal.

Pull an Image from a Private Registry, "Failed to pull image" and "Error: ImagePullBackOff" warning messages continue to show up when trying to deploy API Connect on ICP using  If you failed to pull the image, log on to the image repository again by following these steps: Procedure On the Cluster List page, click Manage at the right of the cluster in which the application is to be deployed.

The service principal the cluster was running as, is not the principal that i thought it was.To check that please follow below steps.

  1. Run the command "az aks show -n aks-cluster-name -g resource-group-name | grep client"

  2. Run the commad "az ad sp credential list --id " -- This command is to check if the secret associated.

  3. Login to azure portal.

  4. Navigate to Azure Container Registry

  5. IAM --> View Role Assignment --> Check if the Client ID is existing in the list with minimum of "AcrPull" access. If not grant access to the SP.

Please check in the YAML that if we seeing the correct authentication or not.

"Failed to pull image" and "Error: ImagePullBackOff" warning , We'll create a pod named fail referencing a non-existent Docker image: 1m 5s 4 kubelet, minikube spec.containers{fail} Warning Failed Failed to pull image  Dismiss Join GitHub today. GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.

Container image not pulled :: Gardener, pulling image "foobartest4" Warning Failed 27s (x4 over 82s) kubelet, gke-​gar-3-pool-1-9781becc-gc8h Failed to pull image "foobartest4":  Bug 1763067 - Failed to pull existing image. Summary: Failed to pull existing image Keywords: Image Registry Sub Component: Version: 4.2.0

Kubernetes Troubleshooting Walkthrough, Hello, I'm using DO's new kubernetes cluster and it seems there's an issue pulling an image form a private repository. I am using GitLab on the  Failed to pull image while deploying heketi pod . Solution Verified - Updated 2020-06-23T13:26:43+00:00 - English . No translations currently exist.

Failed to pull image from private repository on kubernetes cluster , 1) You have to run eval $(minikube docker-env). 2) Build the image with the Docker daemon of Minikube docker build -t collection . 3) Set the  Troubleshooting: Unable to pull a private image As we mentioned above for the invalid image name, a private image that you don’t have access to will return the same error messages. If you did determine your image is private, you have to give the pod a secret that has the proper authentication to allow it to pull the image.

Comments
  • are you sure thats the same service principal you gave access?
  • yes I checked @4c74356b41
  • can you provide proof?
  • that doesnt mean its the SP that's being used by AKS. you can use az aks show -n xxx -g yyy to check AKS SP
  • az aks show --resource-group rg-000 --name demo-cluster --query "servicePrincipalProfile" -o json { "clientId": "0173xxxxxxxxxxxxx" }