Authenticating using Azure Container Registry
In this tutorial, we will understand several ways of authenticating with an Azure container registry, each of which is applicable to one or more registry usage scenarios.
Authentication Ways
Individual login with Azure AD
- If you’re using your registry to extract photos from a development workstation and push them to a registry you made, sign in using an individual Azure identity.
- After that, run the az acr login command in the Azure CLI:
Azure CLI
az acr login –name <acrName>
- The CLI uses the token produced when you did az login to easily authenticate your session with your registry once you log in with az acr login. The Docker CLI and Docker daemon must, however, be installed to complete the authentication sequence. Also, it’s possible to run it in your own environment. The Docker client is used by az acr login to set an Azure Active Directory token in the docker.config file.
- The credentials caches and subsequent docker commands in your session do not require a username or password once you’ve logged in.
- The token is then used by az acr login for registry access and is valid for 3 hours.
- So we recommend that before running a docker command first, log in to the registry. And, if your token expires, then you can refresh it by using the az acr login command again to reauthenticate.
az acr login with –expose-token
When the Docker daemon isn’t functioning in your environment, you may need to authenticate using az acr login. For example, you might need to run az acr login in a script in Azure Cloud Shell that provides the Docker CLI but doesn’t run the Docker daemon.
However, for this scenario, run az acr login first with the –expose-token parameter.
Azure CLI
az acr login -name <acrName> –expose-token
Output displays the access token, abbreviated here:
Console
{
“accessToken”: “eyJhbGciOiJSUzI1NiIs[…]24V7wA”,
“loginServer”: “myregistry.azurecr.io”
}
Then, run docker login, passing 00000000-0000-0000-0000-000000000000 taken as the username and use the access token as password:
Console
docker login myregistry.azurecr.io –username 00000000-0000-0000-0000-000000000000 –password eyJhbGciOiJSUzI1NiIs[…]24V7wA
Service principal
If you assign a service principal to your registry, then your application or service can use it for headless authentication. That is, service principals grant registry access to Azure role-based access control (Azure RBAC), and a registry can have many service principals. However, the available roles for a container registry include:
- AcrPull: pull
- AcrPush: pull and push
- Owner: that means pull, push or assign roles to other users
Admin account
- Each container registry contains an admin user account that is disabled by default. But, you can enable the admin user and manage its credentials in the Azure portal, or by using the Azure CLI or other Azure tools.
- However, the admin account is currently required for some scenarios for deploying an image from a container registry to certain Azure services.
- The admin account is given with two passwords, both of which can be regenerated. However, two passwords allow you to maintain connection to the registry by using one password while you regenerate the other.
- And, if the admin account is authorized, then you can pass the username and either password to the docker login command when prompted for basic authentication to the registry.
- For example:
docker login myregistry.azurecr.io
- For enabling the admin user for an existing registry, you can use the –admin-enabled parameter of the az acr update command in the Azure CLI:
Azure CLI
az acr update -n <acrName> –admin-enabled true
- However, you can enable the admin user in the Azure portal by navigating your registry, selecting Access keys under SETTINGS, then Enable under Admin user.
Reference: Microsoft Documentation