Enable Artifact Cache with authentication - Azure CLI
This article is part three of a tutorial series. Part one provides an overview of Artifact Cache, its features, benefits, and limitations. In part two, you learn how to enable Artifact Cache feature by using the Azure CLI.
This article walks you through the steps of enabling Artifact Cache with authentication by using the Azure CLI. You have to use the Credentials to make an authenticated pull or to access a private repository.
Prerequisites
You can use the local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.46.0 or later is required. Run
az --version
to find the version. If you need to install or upgrade, see Install Azure CLI.You have an existing Key Vault to store the credentials. Learn more about creating and storing credentials in a Key Vault.
You can set and retrieve secrets from your Key Vault. Learn more about set and retrieve a secret from Key Vault.
Configure Artifact Cache with authentication - Azure CLI
Create Credentials - Azure CLI
Before configuring the Credentials, you have to create and store secrets in the Azure KeyVault and retrieve the secrets from the Key Vault. Learn more about creating and storing credentials in a Key Vault. and to set and retrieve a secret from Key Vault..
Run az acr credential set create command to create the credentials.
- For example, To create the credentials for a given
MyRegistry
Azure Container Registry.
az acr credential-set create -r MyRegistry \ -n MyRule \ -l docker.io \ -u https://MyKeyvault.vault.azure.cn/secrets/usernamesecret \ -p https://MyKeyvault.vault.azure.cn/secrets/passwordsecret
- For example, To create the credentials for a given
Run az acr credential set update to update the username or password KV secret ID on a credential set.
- For example, to update the username or password KV secret ID on the credentials for a given
MyRegistry
Azure Container Registry.
az acr credential-set update -r MyRegistry -n MyRule -p https://MyKeyvault.vault.azure.cn/secrets/newsecretname
- For example, to update the username or password KV secret ID on the credentials for a given
Run az-acr-credential-set-show to show the credentials.
- For example, to show the credentials for a given
MyRegistry
Azure Container Registry.
az acr credential-set show -r MyRegistry -n MyCredSet
- For example, to show the credentials for a given
Create a cache rule with the Credentials - Azure CLI
Run az acr cache create command to create a cache rule.
- For example, to create a cache rule with the credentials for a given
MyRegistry
Azure Container Registry.
az acr cache create -r MyRegistry -n MyRule -s docker.io/library/ubuntu -t ubuntu -c MyCredSet
- For example, to create a cache rule with the credentials for a given
Run az acr cache update command to update the credentials on a cache rule.
- For example, to update the credentials on a cache rule for a given
MyRegistry
Azure Container Registry.
az acr cache update -r MyRegistry -n MyRule -c NewCredSet
- For example, to remove the credentials from an existing cache rule for a given
MyRegistry
Azure Container Registry.
az acr cache update -r MyRegistry -n MyRule --remove-cred-set
- For example, to update the credentials on a cache rule for a given
Run az acr cache show command to show a cache rule.
- For example, to show a cache rule for a given
MyRegistry
Azure Container Registry.
az acr cache show -r MyRegistry -n MyRule
- For example, to show a cache rule for a given
Assign permissions to Key Vault
Get the principal ID of system identity in use to access Key Vault.
PRINCIPAL_ID=$(az acr credential-set show -n MyCredSet \ -r MyRegistry \ --query 'identity.principalId' \ -o tsv)
Run the az keyvault set-policy command to assign access to the Key Vault, before pulling the image.
- For example, to assign permissions for the credentials access the KeyVault secret
az keyvault set-policy --name MyKeyVault \ --object-id $PRINCIPAL_ID \ --secret-permissions get
Pull your Image
Pull the image from your cache using the Docker command by the registry login server name, repository name, and its desired tag.
- For example, to pull the image from the repository
hello-world
with its desired taglatest
for a given registry login servermyregistry.azurecr.cn
.
docker pull myregistry.azurecr.cn/hello-world:latest
- For example, to pull the image from the repository
Clean up the resources
Run az acr cache list command to list the cache rules in the Azure Container Registry.
- For example, to list the cache rules for a given
MyRegistry
Azure Container Registry.
az acr cache list -r MyRegistry
- For example, to list the cache rules for a given
Run az acr cache delete command to delete a cache rule.
- For example, to delete a cache rule for a given
MyRegistry
Azure Container Registry.
az acr cache delete -r MyRegistry -n MyRule
- For example, to delete a cache rule for a given
Runaz acr credential set list to list the credential in an Azure Container Registry.
- For example, to list the credentials for a given
MyRegistry
Azure Container Registry.
az acr credential-set list -r MyRegistry
- For example, to list the credentials for a given
Run az-acr-credential-set-delete to delete the credentials.
- For example, to delete the credentials for a given
MyRegistry
Azure Container Registry.
az acr credential-set delete -r MyRegistry -n MyCredSet
- For example, to delete the credentials for a given
Next steps
- Advance to the next article to walk through the troubleshoot guide for Registry Cache.