Enable Artifact Cache with authentication - Azure CLI

This article is part three of a tutorial series. Part one provides an overview of Artifact Cache, its features, benefits, and limitations. In part two, you learn how to enable Artifact Cache feature by using the Azure CLI.

This article walks you through the steps of enabling Artifact Cache with authentication by using the Azure CLI. You have to use the Credentials to make an authenticated pull or to access a private repository.

Prerequisites

Configure Artifact Cache with authentication - Azure CLI

Create Credentials - Azure CLI

Before configuring the Credentials, you have to create and store secrets in the Azure KeyVault and retrieve the secrets from the Key Vault. Learn more about creating and storing credentials in a Key Vault. and to set and retrieve a secret from Key Vault..

  1. Run az acr credential set create command to create the credentials.

    • For example, To create the credentials for a given MyRegistry Azure Container Registry.
    az acr credential-set create 
    -r MyRegistry \
    -n MyRule \
    -l docker.io \ 
    -u https://MyKeyvault.vault.azure.cn/secrets/usernamesecret \
    -p https://MyKeyvault.vault.azure.cn/secrets/passwordsecret
    
  2. Run az acr credential set update to update the username or password KV secret ID on a credential set.

    • For example, to update the username or password KV secret ID on the credentials for a given MyRegistry Azure Container Registry.
    az acr credential-set update -r MyRegistry -n MyRule -p https://MyKeyvault.vault.azure.cn/secrets/newsecretname
    
  3. Run az-acr-credential-set-show to show the credentials.

    • For example, to show the credentials for a given MyRegistry Azure Container Registry.
    az acr credential-set show -r MyRegistry -n MyCredSet
    

Create a cache rule with the Credentials - Azure CLI

  1. Run az acr cache create command to create a cache rule.

    • For example, to create a cache rule with the credentials for a given MyRegistry Azure Container Registry.
    az acr cache create -r MyRegistry -n MyRule -s docker.io/library/ubuntu -t ubuntu -c MyCredSet
    
  2. Run az acr cache update command to update the credentials on a cache rule.

    • For example, to update the credentials on a cache rule for a given MyRegistry Azure Container Registry.
    az acr cache update -r MyRegistry -n MyRule -c NewCredSet
    
    • For example, to remove the credentials from an existing cache rule for a given MyRegistry Azure Container Registry.
    az acr cache update -r MyRegistry -n MyRule --remove-cred-set
    
  3. Run az acr cache show command to show a cache rule.

    • For example, to show a cache rule for a given MyRegistry Azure Container Registry.
     az acr cache show -r MyRegistry -n MyRule
    

Assign permissions to Key Vault

  1. Get the principal ID of system identity in use to access Key Vault.

    PRINCIPAL_ID=$(az acr credential-set show 
                    -n MyCredSet \ 
                    -r MyRegistry  \
                    --query 'identity.principalId' \ 
                    -o tsv) 
    
  2. Run the az keyvault set-policy command to assign access to the Key Vault, before pulling the image.

    • For example, to assign permissions for the credentials access the KeyVault secret
    az keyvault set-policy --name MyKeyVault \
    --object-id $PRINCIPAL_ID \
    --secret-permissions get
    

Pull your Image

  1. Pull the image from your cache using the Docker command by the registry login server name, repository name, and its desired tag.

    • For example, to pull the image from the repository hello-world with its desired tag latest for a given registry login server myregistry.azurecr.cn.
     docker pull myregistry.azurecr.cn/hello-world:latest
    

Clean up the resources

  1. Run az acr cache list command to list the cache rules in the Azure Container Registry.

    • For example, to list the cache rules for a given MyRegistry Azure Container Registry.
     az acr cache list -r MyRegistry
    
  2. Run az acr cache delete command to delete a cache rule.

    • For example, to delete a cache rule for a given MyRegistry Azure Container Registry.
    az acr cache delete -r MyRegistry -n MyRule
    
  3. Runaz acr credential set list to list the credential in an Azure Container Registry.

    • For example, to list the credentials for a given MyRegistry Azure Container Registry.
    az acr credential-set list -r MyRegistry
    
  4. Run az-acr-credential-set-delete to delete the credentials.

    • For example, to delete the credentials for a given MyRegistry Azure Container Registry.
    az acr credential-set delete -r MyRegistry -n MyCredSet
    

Next steps

  • Advance to the next article to walk through the troubleshoot guide for Registry Cache.