Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
625 questions
Orphaned ACR Resources Preventing Container Apps from Launching
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 50%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQN%3C/text%3E%3C/svg%3E)
Quintan Neville
0
Reputation points
We consolidated our Images into a single Container Registry on Azure and ran into some issues with orphaned resources that are preventing some container apps from launching
I redacted the names of the apps:
- resourcegroup is the RG name, and resourcegroupacr is just the name of the acr prefixed with our old resourcegroup name
- oldacr1 is our old ACR that we can't remove for some reason
- appname is just the name of the app we're to launch a revision of.
I might have been a bit to hasty in deleting the old container registry resourcegroupacr.azurecr.io and it looks like some resources were tied to it. I should have confirmed these fired up before deleting the old registries, as some just hang and didn't launch after I moved over the revisions to point at the new ACR and images. Now it looks like we have some references to container registries that I can't get rid of.
The registries I tried to delete were oldacr1.azurecr.io and resourcegroupacr.azurecr.io. resourcegroupacr.azurecr.io is gone, but I get errors deleting oldacr1.azurecr.io. As you can see in the following errors, the container app still references the deleted registry.
The error we get when re-deploying the Container App revision with the proper tag and Authentication selected is:
Failed to deploy new revision: PasswordSecretRef 'reg-pswd-8d81bbc3-8d27' defined for registry server 'oldacr1.azurecr.io' not found
I'm not selecting oldacr1.azurecr.io as my repo (this is the one I wish I could delete), so this is a strange error. I checked to see if we had
I confirmed this with this command:
az containerapp show \
--name resourcegroup-appname \
--resource-group resourcegroup \
--query "properties.configuration.registries"
Output - Ideally only want newacr.azurecr.io:
[
{
"identity": "/subscriptions/xxx/resourceGroups/resourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-resourcegroup-secretuser",
"passwordSecretRef": "",
"server": "resourcegroupacr.azurecr.io",
"username": ""
},
{
"identity": "/subscriptions/xxx/resourcegroups/resourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-resourcegroup-secretuser",
"passwordSecretRef": "",
"server": "newacr.azurecr.io",
"username": ""
},
{
"identity": "",
"passwordSecretRef": "reg-pswd-8d81bbc3-8d27",
"server": "oldacr1.azurecr.io",
"username": "oldacr1"
}
]
I tried to clean up the resources explicitly by setting the registries with AzureCLI and an update to the container app.
az containerapp update \
--name resourcegroup-appname \
--resource-group resourcegroup \
--set configuration.registries="[]"
Running ths 'show' command again, I still see the same output (the three registries)
az containerapp show \
--name resourcegroup-appname \
--resource-group resourcegroup \
--query "properties.configuration.registries"
I even tried to update it specifically to use the single container app registry that we actually want.
az containerapp update \
--name resourcegroup-appname \
--resource-group resourcegroup \
--set configuration.registries="[{'server':'newacr.azurecr.io','identity':'/subscriptions/xxx/resourcegroups/resourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-resourcegroup-secretuser'}]"
Show will indicate the same registries are attached.
I'm out of things to try. Deleting and recreating our container apps isn't sustainable, and I'd like to avoid this as strongly as possible.
Any help would be appreciated. Thank you in advance!
Azure Container Apps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 40%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Khadeer Ali 4,960 Reputation points Microsoft External Staff2025-05-02T14:27:47.3966667+00:00 Thanks for reaching out and all the troubleshooting you've done so far .
To help us escalate this properly and narrow down any remaining bindings to the old ACR, could you please share the following:
- The output of this command, just to confirm if the secret
reg-pswd-8d81bbc3-8d27still exists:az containerapp secret list \ --name resourcegroup-appname \ --resource-group resourcegroup- The revision name that is currently active (in case an older revision is still referencing the removed ACR):
This will help us validate if any lingering secrets or revision metadata are blocking cleanup.
- The output of this command, just to confirm if the secret
-
Quintan Neville 0 Reputation points
2025-05-02T14:47:58.1366667+00:00 Hey @Khadeer Ali , thank you for jumping in here:
For the output of 1
[ ... our app secrets ... { "identity": "/subscriptions/xxx/resourceGroups/resourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-resourcegroup-secretuser", "keyVaultUrl": "https://resourcegroup -key-vault.vault.azure.net/secrets/EXAMPLE_VARIABLE", "name": "example_secret" }, { "name": "reg-pswd-8d81bbc3-8d27" } ]Running the second command:
[ "resourcegroup-appname--uhw64vg" ]Hopefully this helps. Thank you.
-
Khadeer Ali 4,960 Reputation points Microsoft External Staff
2025-05-02T17:33:26.33+00:00 Thanks again for sharing those details.
It looks like the secret
reg-pswd-8d81bbc3-8d27is still present and might be tied to the active revision (resourcegroup-appname--uhw64vg). That would explain why the reference tooldacr1.azurecr.iois sticking around, even after trying to update the registry config.Here’s what you can try next:
1. Remove the old secret If the secret is no longer in use by any active revision, you can safely remove it:
How to remove secrets from Container Apps linked to ACR
az containerapp secret remove \ --name resourcegroup-appname \ --resource-group resourcegroup \ --secret-name reg-pswd-8d81bbc3-8d27Make sure that no currently running revision depends on this secret. If it does, you may need to deploy a new revision first.
2. Deploy a clean revision manually Create a new revision that only uses the updated ACR and excludes references to the old secret:
Manage revisions in Azure Container Apps
az containerapp update \ --name resourcegroup-appname \ --resource-group resourcegroup \ --image newacr.azurecr.io/yourimage:tag \ --registry-server newacr.azurecr.io \ --registry-identity /subscriptions/xxx/resourceGroups/resourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-resourcegroup-secretuser
Give this a try and let me know if it works.
Sign in to comment
Sign in to answer