az create container requires credentials for ACR image with anonymous pull access

[MaxHorstmann]

Describe the bug

Azure Container Registry (ACR) supports anonymous pull access, but az create container always requires credentials when azurecr.io is detected in the image URL.

This makes it unnecessarily difficult to create a container group using a container image hosted in ACR with anonymous pull access enabled.

Related command

Here's my ACR with anonymous pull access enabled...

$ az acr show -n myacrwithanonymouspullaccess | grep anonymous
  "anonymousPullEnabled": true,

... so, no credentials are required to pull an image from it. Look, I can do it from my local machine without logging in...

$ docker pull myacrwithanonymouspullaccess.azurecr.io/myimage:latest
latest: Pulling from myimage
Digest: sha256:d063655c..81
Status: Image is up to date for myacrwithanonymouspullaccess.azurecr.io/myimage:latest

... so I should be able to create a container group without providing any credentials. But az container create detects azurecr.io in the image URL (right here) and prompts for registry username and password:

$ az container create -g myrg --name aci-test --image myacrwithanonymouspullaccess.azurecr.io/myimage:latest 
  --cpu 1 --memory 1                                             
Image registry username: 

Looks like as a workaround, it's possible to just provide random invalid credentials:

$ az container create -g myrg --name aci-test --image myacrwithanonymouspullaccess.azurecr.io/myimage:latest 
  --cpu 1 --memory 1  --registry-password "foo" --registry-username "foo"                                           

Errors

n/a there's no error message, the error is that the command shouldn't prompt for credentials

Issue script & Debug output

n/a

Expected behavior

The error is that az container create prompts for credentials in the above scenario when it shouldn't, because the image might be hosted in ACR with anonymous pull access enabled.

Environment Summary

{
  "azure-cli": "2.67.0",
  "azure-cli-core": "2.67.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "account": "0.2.5",
    "containerapp": "1.1.0b1",
    "devcenter": "6.1.0"
  }
}

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az webapp create doesnt support using a acr image  #7261

[toddysm]

@johnsonshi Can you reproduce this? Also what should be the next steps.

[johnsonshi]

@toddysm, @MaxHorstmann, I have managed to repro this. This is a bug in the az container create CLI, not in the az acr CLI or Azure Container Registry.

@toddysm / @yonzhan, can you help assign this to Azure Container Instance CLI team? Thank you!

export ACR_NAME=foo

# enable anonymous pull in the ACR
az acr update -n $ACR_NAME --anonymous-pull-enabled

# import sample image into ACR
az acr import --name $ACR_NAME --source mcr.microsoft.com/mirror/docker/library/nginx:1.25

# attempt to anonymously pull from the ACR without logging in, which successfully does so.
docker pull $ACR_NAME.azurecr.io/mirror/docker/library/nginx:1.25
# image successfully pulled

# try creating Azure Container Instance (ACI) without specifying credentials (pressing enter without specifying username or password)
# FAILS!
az container create -g $ACR_NAME --name aci-test --image $ACR_NAME.azurecr.io/mirror/docker/library/nginx:1.25 --cpu 1 --memory 1
Image registry username:
Image registry password:
(AmbiguousImageResitryCredentialType) The registry credential type in the 'imageRegistryCredentials' of container group 'aci-test' cannot be detected. Please set exactly one of username or identity
Code: AmbiguousImageResitryCredentialType
Message: The registry credential type in the 'imageRegistryCredentials' of container group 'aci-test' cannot be detected. Please set exactly one of username or identity

# try creating Azure Container Instance (ACI) by specifying random credentials
# SUCCEEDS!
 az container create -g $ACR_NAME --name aci-test --image $ACR_NAME.azurecr.io/mirror/docker/library/nginx:1.25 --cpu 1 --memory 1
Image registry username: asd
Image registry password:
{
  "confidentialComputeProperties": null,
  "containers": [
    {
      "command": null,
      "environmentVariables": [],
      "image": "$ACR_NAME.azurecr.io/mirror/docker/library/nginx:1.25",
...

[terencet-dev]

Closing as this is an ACI case. Please reopen to ACI team