containerapp ACR domain suffix hardcoded to .azurecr.io, breaking sovereign cloud support #9728
Description
Describe the bug
The containerapp command module (both in azure-cli core and the containerapp extension) hardcodes the ACR login server domain suffix as ".azurecr.io". This breaks all ACR-related operations when using Azure sovereign clouds (e.g., Azure China / Mooncake), where ACR registries use the domain suffix ".azurecr.cn".
There are three root-cause locations:
Location 1 — Constant definition (hardcoded string)
File: src/azure-cli/azure/cli/command_modules/containerapp/_constants.py
ACR_IMAGE_SUFFIX = ".azurecr.io"Same constant also duplicated in the extension:
File: src/containerapp/azext_containerapp/_constants.py
ACR_IMAGE_SUFFIX = ".azurecr.io"Location 2 — _infer_acr_credentials() gates all ACR detection
File: src/azure-cli/azure/cli/command_modules/containerapp/_utils.py
def _infer_acr_credentials(cmd, registry_server, disable_warnings=False):
# If registry is Azure Container Registry, we can try inferring credentials
if ACR_IMAGE_SUFFIX not in registry_server:
raise RequiredArgumentMissingError(
'Registry username and password are required if not using Azure Container Registry.'
)When registry_server = "myacr.azurecr.cn", the check ".azurecr.io" not in registry_server is True, so the function immediately raises an error and treats the China ACR as a non-ACR registry. Credential inference, managed identity setup, and acrpull role assignment all fail as a result.
Location 3 — create_acrpull_role_assignment() crashes with ValueError
File: src/azure-cli/azure/cli/command_modules/containerapp/_utils.py
def create_acrpull_role_assignment(cmd, registry_server, ...):
...
acr_id = acr_show(cmd, client, registry_server[: registry_server.rindex(ACR_IMAGE_SUFFIX)]).idstr.rindex(".azurecr.io") raises an unhandled ValueError when registry_server is "myacr.azurecr.cn", causing a crash instead of a clean error message.
Related command
az containerapp create \
--name myapp \
--resource-group myRG \
--environment myEnv \
--image myacr.azurecr.cn/myimage:latest \
--registry-server myacr.azurecr.cn
az containerapp update \
--name myapp \
--resource-group myRG \
--image myacr.azurecr.cn/myimage:latest \
--registry-server myacr.azurecr.cnErrors
Command:
az containerapp create --name xxx --resource-group xxx --environmentxxx --image xxx.azurecr.cn/xxx/xxx:latest --target-port 80 --cpu 0.5 --memory 1Gi --min-replicas 1 --max-replicas 1 --user-assigned xxx --registry-identity xxx --registry-server xxx.azurecr.cnError:
Usage error: --registry-server, --registry-password and --registry-username are required together if not using Azure Container Registry
If we remove --registry-server from the command in hoping it can work around the azurecr.io requirement
--registry-identity: expected an ACR registry (*.azurecr.io) for --registry-server
Issue script & Debug output
az cloud set --name AzureChinaCloud
az login
az containerapp create \
--name myapp \
--resource-group myRG \
--environment myEnv \
--image myacr.azurecr.cn/myimage:latest \
--registry-server myacr.azurecr.cn \
--registry-identity system \
--debugExpected behavior
The extension should dynamically resolve the ACR domain suffix from the active cloud endpoint configuration rather than hardcoding it.
Environment Summary
azure-cli 2.84.0
core 2.84.0
telemetry 1.1.0
Extensions:
containerapp 1.3.0b4
resource-graph 2.1.1
Dependencies:
msal 1.35.0b1
azure-mgmt-resource 24.0.0
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\xx.azure'
Extensions directory 'C:\Users\xxx.azure\cliextensions'
Python (Windows) 3.13.11 (tags/v3.13.11:6278944, Dec 5 2025, 16:17:02) [MSC v.1944 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response