Azure Container Registry is a managed Docker registry service used for storing and managing container images across all types of Azure deployments. For securing these registries, Azure provides us with various options to manage access, including Azure Active Directory (AAD), Service Principals, Registry-level and more.
- Azure Active Directory (AAD):
Azure Active Directory
Azure Active Directory is a Microsoft’s cloud-based identity and access management service. In the context of Azure Container Registry, AAD can provide the authentication for push and pull operations.
You can integrate AAD with Azure Container Registry by creating a Service Principal which usually contains the Identity (Application ID), Key (Secret) and Tenant ID.
az ad sp create-for-rbac –name myServicePrincipal –role Contributor –scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/myRegistry –sdk-auth
The parameters to be replaced are mentioned as follows:
- myServicePrincipal = Desired name for the Service Principal
- mySubscriptionID = Subscription ID where you want to use this Service Principal
- myResourceGroup = Resource Group where your Azure Container Registry exists
- myRegistry = Name of your Azure Container Registry
- Service Principals:
Service Principals
A service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is defined in Azure AD and it is used to provide access for applications to Azure services. The service principal is the security identity used by the application that calls APIs in Azure AD to read directory data or in Azure to access resources.
To provide a Service Principal access to an Azure Container Registry, you can use the following command:
az acr login –name myRegistry –username appId –password password
Again, you need to replace:
- myRegistry = Name of your Azure Container Registry
- appId = Application ID of the Service Principal
- password = Password of the Service Principal
- Registry-level:
Registry-level
Azure Container Registry provides us with an option to manage access at the registry level.
We can enable or disable admin user for the registry using Azure portal or Azure CLI command. By enabling admin user, it makes the registry accessible with two repo-scoped roles: RegistryReader and RegistryWriter.
az acr update –name myRegistry –admin-enabled true
az acr update –name myRegistry –admin-enabled false
Here, ‘myRegistry’ is the name of your Azure Container Registry.
- Token and scope map:
Token and scope map
Azure Container Registry provides token and scope map for fine-grained control. A scope map is a collection of scoped repository permissions (actions) that may be assigned to one or more tokens.
For instance, you can create a token ‘mytoken’ that has read, write and delete access to the hello-world repository with the following commands:
az acr token create –name mytoken –registry myRegistry –scope-map myscope
Again replace:
- mytoken = Name of your token
- myRegistry = Name of your Azure Container Registry
- myscope = Name of your scope
Access control to Azure Container Registry is a vital part of AZ-500 Microsoft Azure Security Technologies certification exam. Getting hands-on practice with managing access controls can help you demonstrate your competency in implementing platform protection, managing identity and access as well as securing data and applications in Azure.
Practice Test
Azure Active Directory (Azure AD) authenticates access to an Azure container registry. True/False?
- 1) True
- 2) False
Answer: True
Explanation: Azure Container Registry uses Azure Active Directory to authenticate users and to authorize access to the registries.
A Service Principal can be assigned to the built-in role AcrPull to pull images from a registry.
- 1) True
- 2) False
Answer: True.
Explanation: A Service Principal can be assigned the AcrPull role to only allow the pulling of container images from the registry.
Azure Container Registry supports Docker Content Trust. True/False?
- 1) True
- 2) False
Answer: True.
Explanation: Azure Container Registry supports Docker Content Trust (DCT), providing you with the ability to sign and verify the signatures of your images.
Does Azure Kubernetes Service (AKS) supports integration with Azure Container Registry by default?
- A. Yes
- B. No
Answer: A. Yes
Explanation: Azure Kubernetes Service (AKS) provides an optimized integration with Azure Container Registry (ACR). AKS can pull images from ACR by using an Azure Active Directory (AD) service principal.
Tokens are used to manage fine-grained access policies for repositories in Azure Container Registry. True/False?
- 1) True
- 2) False
Answer: True.
Explanation: Azure Container Registry recently introduced tokens which provide scope-based access to the registries.
What are the built-in roles of Azure Container Registry?
- A. acrimagepusher
- B. AcrPull
- C. AcrPush
- D. acrimagepuller
Answer: B. AcrPull and C. AcrPush
Explanation: Azure Container Registry defines two built-in roles. The AcrPull role allows to pull images, and AcrPush role allows to push/pull images.
Azure Container Registry doesn’t support private link. True/False?
- 1) True
- 2) False
Answer: False.
Explanation: Azure Container Registry does support Azure Private Link, which allows a secure access over a private network link.
Which of the following are Azure AD identities that can be granted access permissions to an Azure container registry?
- A. Managed identity
- B. Service principal
- C. User
- D. Virtual Machine
Answer: A. Managed identity, B.Service principal, C. User
Explanation: Managed identities, service principals, and users are Azure AD identities that can be granted permissions to access an Azure Container Registry.
Azure role-based access control (Azure RBAC) is an authorization system that provides fine-grained access management to Azure resources. True/False?
- 1) True
- 2) False
Answer: True
Explanation: Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources, including Azure Container Registry.
Which built-in role should you assign if permitting the deletion of existing images is required?
- A. AcrImageSigner
- B. AcrDelete
- C. AcrPush
- D. AcrPull
Answer: B. AcrDelete
Explanation: The AcrDelete built-in role allows the deletion of existing images in the Azure Container Registry.
By using Azure Policy, you can’t audit or enforce specific conditions on Container Registry resources. True/False?
- 1) True
- 2) False
Answer: False.
Explanation: You can use Azure Policy to audit or enforce specific conditions or set specific restrictions on Container Registry resources in your environment.
AcrPull role allows users to pull images from a registry. True/False?
- 1) True
- 2) False
Answer: True.
Explanation: AcrPull is a built-in role in Azure Container Registry that allows users to pull images from a registry.
A user must sign in prior to pushing or pulling a dockerized application to/from the Azure Container Registry. True/False?
- 1) True
- 2) False
Answer: True.
Explanation: Before a user can push or pull a dockerized application to or from an Azure container registry, they must use the Docker CLI (Command-Line Interface) to sign in to the registry.
Which command is used to login to an Azure Container Registry using the Docker CLI?
- A. docker login
- B. docker azure login
- C. azure login
- D. login az
Answer: A. docker login <acr-login-servername>
Explanation: To log in to an Azure Container Registry, the Docker CLI command ‘docker login’ is used followed by the login server name of the registry.
A web hook can be used to trigger a notification when push and/or delete actions occur in a registry.
- 1) True
- 2) False
Answer: True.
Explanation: In Azure Container Registry, a web hook can be used to cause a specific endpoint to be called when a push and/or delete action happens, thereby launching a notification whenever these events occur.
Interview Questions
What is Azure Container Registry?
Azure Container Registry is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a secure way.
How can I manage access to the Azure Container Registry?
Access to Azure Container Registry can be managed using Azure Role-Based Access Control (RBAC). There are built-in roles specifically for the registry operations like AcrPull, AcrPush, and AcrDelete.
Can multiple users be granted different access to a single Azure Container Registry?
Yes. Access to Azure Container Registry can be controlled on an individual user basis via Azure Role-Based Access Control (RBAC), thus different users can be granted different levels of access.
What are the available roles for Azure Container Registry?
There are three built-in roles for Container Registry: AcrPush, which allows the user to push and pull images; AcrPull, which only allows pulling (downloading) images; and AcrDelete, which allows deleting a repository or image.
Can Azure Active Directory be used to authenticate access to Azure Container Registry?
Yes, Azure Container Registry integrates with Azure Active Directory to provide role-based access control (RBAC) to the registry.
What Azure service is used to manage identity and access control for Azure Container Registry?
Azure Active Directory is used to manage identity and access control for Azure Container Registry.
How is access to Azure Container Registry secured?
Access to Azure Container Registry is secured through Azure role-based access control (RBAC) and the use of authentication tokens. The tokens are used to ensure only authenticated entities can access registry resources.
What is an Azure AD service principal and how does it relate to Azure Container Registry?
An Azure AD service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. In relation to Azure Container Registry, service principals can be authorized with specific permissions and roles in order to interact with the registry.
Can I use Azure Policy to manage access to Azure Container Registry?
Yes, Azure Policy can be used to enforce rules and effects over Azure resources, including Azure Container Registry, thus aiding in access management.
Is there a way to monitor access to my Azure Container Registry?
Yes. Azure Monitor logs and Azure Security Center can be used to gain insights into the access and usage of your Azure Container Registry.
What is the significance of the ‘AcrDelete’ role in Azure Container Registry?
The ‘AcrDelete’ role allows for the deletion of a repository or an image in Azure Container Registry. This role can be assigned to users requiring delete permissions.
Can I automate access management for Azure Container Registry?
Yes. Using Azure DevOps and Azure Resource Manager templates, you can automate access management for Azure Container Registry.
Can I integrate Azure Key Vault with Azure Container Registry for managing secrets?
Yes, Azure Container Registry can be configured to use Azure Key Vault for managing secrets like passwords, encryption keys, etc.
Can I use Virtual Network Service Endpoints with Azure Container Registry?
Yes. For providing a secure connection between a Virtual Network and Azure services over the Azure backbone network, Azure Container Registry supports Virtual Network service endpoints.
What’s the role of Azure Security Center regarding Azure Container Registry?
Azure Security Center provides advanced threat protection for Azure Container Registry. It can detect potential vulnerabilities in container images and suggest remediation steps.