Authenticate with Azure Container Registry from Azure Container Instances
You can use a Microsoft Entra service principal to provide access to your private container registries in Azure Container Registry.
In this article, you learn to create and configure a Microsoft Entra service principal with pull permissions to your registry. Then, you start a container in Azure Container Instances (ACI) that pulls its image from your private registry, using the service principal for authentication.
When to use a service principal
You should use a service principal for authentication from ACI in headless scenarios, such as in applications or services that create container instances in an automated or otherwise unattended manner.
For example, if you have an automated script that runs nightly and creates a task-based container instance to process some data, it can use a service principal with pull-only permissions to authenticate to the registry. You can then rotate the service principal's credentials or revoke its access completely without affecting other services and applications.
Service principals should also be used when the registry admin user is disabled.
Create a service principal
To create a service principal with access to your container registry, run the following script in a local installation of the Azure CLI. The script is formatted for the Bash shell.
Before running the script, update the ACR_NAME
variable with the name of your container registry. The SERVICE_PRINCIPAL_NAME
value must be unique within your Microsoft Entra tenant. If you receive an "'http://acr-service-principal' already exists.
" error, specify a different name for the service principal.
You can optionally modify the --role
value in the az ad sp create-for-rbac command if you want to grant different permissions. For a complete list of roles, see ACR roles and permissions.
After you run the script, take note of the service principal's ID and password. Once you have its credentials, you can configure your applications and services to authenticate to your container registry as the service principal.
#!/bin/bash
# This script requires Azure CLI version 2.25.0 or later. Check version with `az --version`.
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=$containerRegistry
SERVICE_PRINCIPAL_NAME=$servicePrincipal
# Obtain the full registry ID
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query "id" --output tsv)
# echo $registryId
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
PASSWORD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query "password" --output tsv)
USER_NAME=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $USER_NAME"
echo "Service principal password: $PASSWORD"
Use an existing service principal
To grant registry access to an existing service principal, you must assign a new role to the service principal. As with creating a new service principal, you can grant pull, push and pull, and owner access, among others.
The following script uses the az role assignment create command to grant pull permissions to a service principal you specify in the SERVICE_PRINCIPAL_ID
variable. Adjust the --role
value if you'd like to grant a different level of access.
#!/bin/bash
# Modify for your environment. The ACR_NAME is the name of your Azure Container
# Registry, and the SERVICE_PRINCIPAL_ID is the service principal's 'appId' or
# one of its 'servicePrincipalNames' values.
ACR_NAME=$containerRegistry
SERVICE_PRINCIPAL_ID=$servicePrincipal
# Populate value required for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Assign the desired role to the service principal. Modify the '--role' argument
# value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role acrpull
Authenticate using the service principal
To launch a container in Azure Container Instances using a service principal, specify its ID for --registry-username
, and its password for --registry-password
.
az container create \
--resource-group myResourceGroup \
--name mycontainer \
--image mycontainerregistry.azurecr.cn/myimage:v1 \
--registry-login-server mycontainerregistry.azurecr.cn \
--registry-username <service-principal-ID> \
--registry-password <service-principal-password>
Note
We recommend running the commands in the most recent version of the Azure CLI Shell. Set export MSYS_NO_PATHCONV=1
for running on-perm bash environment.
Sample scripts
You can find the preceding sample scripts for Azure CLI on GitHub, as well versions for Azure PowerShell:
Note
Sample script you downloaded or referenced from the GitHub Repo must be modified in order to fit in the Azure operated by 21Vianet Environment. For example, replace some endpoints -- "blob.core.windows.net" by "blob.core.chinacloudapi.cn", "cloudapp.azure.com" by "cloudapp.chinacloudapi.cn"; change some unsupported regions, VM images, VM sizes, SKU and resource-provider's API Version when necessary.
Next steps
The following articles contain additional details on working with service principals and ACR: