Search code examples

Raspberry PI / IOTEdge failing to pull from Azure Container Registry

I have an IOTEdge device (Rapi3) and IotEdgeHub and IotEdgeagent are deployed and running.

I have successfully built and deployed images (custom-vision example) to ACR and have configured Access Keys in the portal. I've added the respective credentials to my .env file.

The deployment.json has been deployed using Create deployment for single device.

Within IotAgent logs I can see a series of 500 errors:

Executing command for operation ["create"] failed. Microsoft.Azure.Devices.Edge.Agent.Edgelet.EdgeletCommunicationException- Message:Error calling Create module camera-capture: Could not create module camera-capture caused by: Could not pull image caused by: Get unauthorized: authentication required, StatusCode:500

I have already run sudo docker login -u myregistryname -p accesskeypassword1 successfully

I can run sudo docker pull manually which successfully download the respective image.

It would appear that IotEdgeHub and/or IotEdgeAgent doesn't have the same access to the ACR. How can I elevate the privileges.

Update; my deployment.template.json file is as follows:

  "moduleContent": {
    "$edgeAgent": {
      "properties.desired": {
        "schemaVersion": "1.0",
        "runtime": {
          "type": "docker",
          "settings": {
            "minDockerVersion": "v1.25",
            "loggingOptions": "",
            "registryCredentials": {
              "registryName": {
                "username": "$CONTAINER_REGISTRY_USERNAME",
                "password": "$CONTAINER_REGISTRY_PASSWORD",
                "address": "$CONTAINER_REGISTRY_ADDRESS"
        "systemModules": {
          "edgeAgent": {
            "type": "docker",
            "settings": {
              "image": "",
              "createOptions": ""
          "edgeHub": {
            "type": "docker",
            "status": "running",
            "restartPolicy": "always",
            "settings": {
              "image": "",
              "createOptions": ""
            "env": {
                "OptimizeForPerformance": {
                  "value": "false"
        "modules": {
          "camera-capture": {
            "version": "1.0",
            "type": "docker",
            "status": "running",
            "restartPolicy": "always",
            "env": {
              "VIDEO_PATH": {"value": 0},
              "IMAGE_PROCESSING_ENDPOINT":  {"value": "http://image-classifier-service:80/image"},
              "RESIZE_WIDTH":  {"value": 256},
              "RESIZE_HEIGHT":  {"value": 256},
              "SHOW_VIDEO":  {"value": "True"}
            "settings": {
              "image": "${MODULES.CameraCapture.arm32v7}",
              "createOptions": {
                "HostConfig": {
                  "PortBindings": {
                    "5012/tcp": [ { "HostPort":"5012"}]
                  "Binds": ["/dev/video0:/dev/video0"],
          "sensehat-display": {
            "version": "1.0",
            "type": "docker",
            "status": "running",
            "restartPolicy": "always",
            "env": {
              "THRESHOLD": {"value": 0.6}
            "settings": {
              "image": "${MODULES.SenseHatDisplay.arm32v7}",
              "createOptions": {
          "image-classifier-service": {
            "version": "1.0",
            "type": "docker",
            "status": "running",
            "restartPolicy": "always",
            "settings": {
              "image": "${MODULES.ImageClassifierService.arm32v7}",
              "createOptions": ""
    "$edgeHub": {
      "properties.desired": {
        "schemaVersion": "1.0",
        "routes": {
          "CameraCaptureToSenseHatDisplay": "FROM /messages/modules/camera-capture/outputs/output1 INTO BrokeredEndpoint(\"/modules/sensehat-display/inputs/input1\")",
          "CameraCaptureToIoTHub": "FROM /messages/modules/camera-capture/outputs/output1 INTO $upstream",
          "CameraCaptureGAToIoTHub": "FROM /messages/modules/CameraCaptureGA/outputs/* INTO $upstream"
        "storeAndForwardConfiguration": {
          "timeToLiveSecs": 7200

Settings as displayed in the portal: enter image description here


  • The deployment.json that gets send to the device should look like this (if you do use the ACR admin credentials and not the recommended service principle):

    "registryCredentials": {
        "registryName": {
            "username": "myregistryname",
            "password": "xxxxxxxxxxxxxxxxxxx",
            "address": ""

    Can you confirm your deployment.json looks like this?