Access management for Azure Container Registry (ACR)
5 minutes
5 Questions
Azure Container Registry (ACR) access management is a critical security component that controls who can push, pull, and manage container images within your registry. ACR integrates seamlessly with Microsoft Entra ID (formerly Azure Active Directory) to provide robust identity-based access control.
…Azure Container Registry (ACR) access management is a critical security component that controls who can push, pull, and manage container images within your registry. ACR integrates seamlessly with Microsoft Entra ID (formerly Azure Active Directory) to provide robust identity-based access control.
There are several authentication methods available for ACR. The primary approach uses Microsoft Entra ID authentication, which supports both individual identities and service principals. Service principals are ideal for automated scenarios like CI/CD pipelines, allowing applications to authenticate programmatically using credentials or certificates.
Managed identities offer another secure authentication option, eliminating the need to store credentials in code. System-assigned and user-assigned managed identities enable Azure resources like Azure Kubernetes Service (AKS) or Azure Container Instances to pull images securely.
ACR implements role-based access control (RBAC) through several built-in roles. The AcrPull role grants read-only access for pulling images. AcrPush allows both pulling and pushing images. AcrDelete permits deletion of repository data. The Owner and Contributor roles provide full administrative capabilities including role assignments and registry configuration.
For enhanced security, ACR supports repository-scoped permissions, enabling granular access control at the individual repository level rather than the entire registry. Token-based authentication with scope maps allows fine-grained access patterns for specific repositories.
Network security features complement access management. Private endpoints restrict registry access to specific virtual networks. Firewall rules limit access to approved IP ranges. Content trust ensures image integrity through signed images.
ACR Premium tier offers additional security features including geo-replication, customer-managed keys for encryption, and dedicated data endpoints. Enabling admin accounts is possible but not recommended for production environments due to shared credential risks. Instead, implement service principals or managed identities for secure, auditable access to your container registry resources.
Access Management for Azure Container Registry (ACR)
Why ACR Access Management is Important
Azure Container Registry (ACR) stores container images that often contain proprietary application code, sensitive configurations, and intellectual property. Proper access management ensures that only authorized users and services can push, pull, or manage container images. Compromised container registries can lead to supply chain attacks, unauthorized deployments, and data breaches. For the AZ-500 exam, understanding ACR access management is critical as it represents a key component of securing containerized workloads in Azure.
What is ACR Access Management?
ACR access management encompasses the authentication and authorization mechanisms used to control who can interact with your container registry. This includes:
• Azure Active Directory (Azure AD) Authentication - The primary method for human users and service principals • Admin Account - A built-in account disabled by default, used for quick testing scenarios • Repository-scoped Tokens - Fine-grained access to specific repositories within a registry • Role-Based Access Control (RBAC) - Azure roles that define what actions users can perform • Managed Identities - For Azure services to authenticate to ACR
How ACR Access Management Works
Authentication Methods:
1. Azure AD Individual Login - Users authenticate using az acr login command, which obtains a token valid for 3 hours
2. Service Principal - Applications use a service principal with client ID and secret for automated scenarios like CI/CD pipelines
3. Managed Identity - Azure services like AKS, Azure Container Instances, and Azure App Service can use system-assigned or user-assigned managed identities to pull images
4. Admin Account - Single account per registry with full push/pull permissions; should be avoided in production
5. Repository-scoped Tokens - Tokens with specific permissions (content/read, content/write, content/delete) scoped to individual repositories
Built-in RBAC Roles:
• Owner - Full access including role assignments • Contributor - Push, pull, and manage registry except role assignments • Reader - Pull images only (read access) • AcrPush - Push and pull images • AcrPull - Pull images only • AcrDelete - Delete repository data • AcrImageSigner - Sign images with content trust
Network Access Controls:
• Private endpoints for private network connectivity • Firewall rules to restrict access by IP address • Virtual network service endpoints
Exam Tips: Answering Questions on ACR Access Management
Key Points to Remember:
1. Prefer Azure AD over Admin Account - Questions about best practices will favor Azure AD authentication with RBAC over admin accounts
2. Know the RBAC Roles - Understand the difference between AcrPull (read-only) and AcrPush (read and write). AcrPull is sufficient for services that only need to deploy containers
3. Managed Identities for Azure Services - When AKS or other Azure services need to pull images, managed identity is the recommended approach
4. Service Principals for CI/CD - Automated pipelines should use service principals with minimal required permissions
5. Repository-scoped Tokens - Use these when you need granular access control at the repository level rather than registry level
6. Admin Account Scenarios - Only appropriate for development/testing or single-user scenarios; never recommended for production
7. Token Expiration - Azure AD tokens from az acr login expire after 3 hours
Common Exam Scenarios:
• A DevOps pipeline needs to push images → Use Service Principal with AcrPush role • AKS cluster needs to pull images → Use Managed Identity with AcrPull role • Third-party system needs limited access to specific repository → Use Repository-scoped Token • Secure ACR from public access → Implement Private Endpoints and disable public network access
Watch Out For:
• Questions that present admin accounts as a valid production solution - this is typically incorrect • Confusion between AcrPull and AcrPush - remember the principle of least privilege • Premium tier features - Private Link and content trust require Premium SKU