Azure ACR Repo Access

Question

We have a ACR running on Azure cloud with multiple Repos inside it, it was recently migrated. The challenge we have is we want to apply repo well Access controls on the ACR similar to Nexus, we'd want to integrate with Azure Active Directory. Can someone assist me with some information on this as I'm new to Active Directory

score 1 · Answer 1 · answered Feb 05 '19 at 06:33

1

These are the roles available in ACR:

this talks about authenticating as Azure AD users. basically you need to do this:

az acr login --name <acrName>

If you want SP auth, the article above talks about that one as well. for me docker login with SP credential "just works"

answered Feb 05 '19 at 06:33

4c74356b41

69,186
6
100
141

these roles are for the ACR. inside the ACR we have multiple repos, and challenge is to implement roles on the repository inside the ACR – Manpreet Feb 05 '19 at 06:43
you cant have permissions on repos inside ACR – 4c74356b41 Feb 05 '19 at 07:29

score 0 · Answer 2 · answered Feb 05 '19 at 06:33

0

I have no experience with Nexus, but if you want to know something about the Access control on ACR with Azure AD, I can provide some messages.

To control the access on ACR, you can access the ACR with the different roles through the Azure Service Principal. Control the role type means to control the access with the permission. For more details, see Azure Container Registry authentication with service principals.

Also, if you do not want to provide or manage registry credentials with the access control, you can use a managed identity for Azure resources to authenticate to an Azure container registry from another Azure resource. It also dependants on Azure Service Principal and can help you achieve what you want. For more details, see Use an Azure managed identity to authenticate to an Azure container registry.

answered Feb 05 '19 at 06:33

Charles Xu

29,862
2
22
39

these roles are for the ACR. inside the ACR we have multiple repos, and challenge is to implement roles on the repository inside the ACR – Manpreet Feb 05 '19 at 06:43
@Manpreet It seems you can control the access directly with the repo inside the ACR. You just can control the access with the whole ACR. – Charles Xu Feb 05 '19 at 06:46
@Manpreet As I know, there no way to achieve that in Azure. – Charles Xu Feb 05 '19 at 06:50
A custom Azure AD policy implemented on the Resource Group, Does that work ? any idea on it? – Manpreet Feb 05 '19 at 06:56
@Manpreet I don't think it's a good way. You will finally need permission to access the ACR in the group. If just has the group permission without the ACR permission, it also doesn't work. – Charles Xu Feb 05 '19 at 07:00
@Manpreet Any more questions? – Charles Xu Feb 05 '19 at 07:26
No. thank you guys. It has been confirmed by Microsoft, Repos inside the ACR cannot have the access controls. Thank you everyone for your help. – Manpreet Feb 05 '19 at 08:39
@Manpreet If the answer is helpful you can accept it. – Charles Xu Feb 13 '19 at 06:04

Azure ACR Repo Access

2 Answers2