0

We created a private registry under our Azure account and now trying to make these images available to a number of third parties temporarily (1 month or 1 year).

What would be the safety way to give a third party only the AcrPull rights without exposing any other information. We are trying Service Principals with AcrPull rights but they seem to come with several roles built-in. I would like to confirm that people who hold these accounts do not have access to any of our corporate data besides the images in the registry.

Is there a better way to accomplish this?

Arda Savran
  • 87
  • 1
  • 7

1 Answers1

0

It's safe to give only the AcrPull rights with Service Principals in that registry scope because there is only one action Microsoft.ContainerRegistry/registries/pull/read in the built-in Azure role AcrPull. If you don't assign any other several roles to that service principal, there is no coming with several roles built-in.

You can also create custom roles with fine-grained permissions to Azure Container Registry. Then assign the custom roles to users, service principals, or other identities that need to interact with a registry.

For more information, read Azure Container Registry roles and permissions.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thank you for the explanation. I am not sure why I am seeing so many built-in roles under the registered app; like "Application administrator" or "Application administrator". I even see "Global administrator" under the "Not Assignable - Directory Level only" section. It is concerning. Following is pretty much what I followed to create the service principal: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal – Arda Savran Mar 22 '21 at 02:07
  • You can find you have created sp from Azure Active Directory-App registrations-Owned applications. Do you mean you find that built-in role in your Container registry Access control (IAM)-Role assignments? – Nancy Mar 22 '21 at 02:43
  • I see the app under "Owned Applications". When I click on it and go to "Roles and administrators", I see a bunch of built-in roles listed. I can find the same app under "subscriptions>IAM". In there, I am not seeing those built-in roles assigned to it. What does this mean? Also, one more quick question. I am trying to create a custom role on the portal and at first I thought it worked but my custom rule never appears in the list. Then I noticed that I need to upgrade to Premium AD. Do I really have to upgrade to get that feature? – Arda Savran Mar 22 '21 at 03:07
  • There are Azure AD roles and RBAC roles. You can assign RBAC roles to control access to your subscription resources. The AcrPull role is the [RBAC roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview). – Nancy Mar 22 '21 at 03:34