使用 Azure 容器注册表从 Azure 容器实例进行身份验证Authenticate with Azure Container Registry from Azure Container Instances

可以使用 Azure Active Directory (Azure AD) 服务主体提供对 Azure 容器注册表中专用容器注册表的访问权限。You can use an Azure Active Directory (Azure AD) service principal to provide access to your private container registries in Azure Container Registry.

在本文中,了解如何创建和配置具有注册表拉取权限的 Azure AD 服务主体。In this article, you learn to create and configure an Azure AD service principal with pull permissions to your registry. 然后,启动 Azure 容器实例 (ACI) 中的某个容器,以从专用注册表拉取其映像,并使用服务主体进行身份验证。Then, you start a container in Azure Container Instances (ACI) that pulls its image from your private registry, using the service principal for authentication.

何时使用服务主体When to use a service principal

无外设方案中(如在自动或以其他无人参与方式创建容器实例的应用程序或服务中),应使用服务主体从 ACI 进行身份验证。You should use a service principal for authentication from ACI in headless scenarios, such as in applications or services that create container instances in an automated or otherwise unattended manner.

例如,如果你有一个在夜间自动运行的脚本,并创建了一个基于任务的容器实例来处理一些数据,则它可以使用具有“仅拉取”权限的服务主体对注册表进行身份验证。For example, if you have an automated script that runs nightly and creates a task-based container instance to process some data, it can use a service principal with pull-only permissions to authenticate to the registry. 然后可以轮换服务主体的凭据或完全撤消其访问权限,而不会影响其他服务和应用程序。You can then rotate the service principal's credentials or revoke its access completely without affecting other services and applications.

在禁用了注册表管理员用户时,也应使用服务主体。Service principals should also be used when the registry admin user is disabled.

创建服务主体Create a service principal

若要创建可以访问容器注册表的服务主体,请在本地安装的 Azure CLI 中运行以下脚本。To create a service principal with access to your container registry, run the following script in a local installation of the Azure CLI. 此脚本已针对 Bash Shell 格式化。The script is formatted for the Bash shell.

运行脚本之前,请将 ACR_NAME 变量更新为容器注册表的名称。Before running the script, update the ACR_NAME variable with the name of your container registry. SERVICE_PRINCIPAL_NAME 值必须在 Azure Active Directory 租户中唯一。The SERVICE_PRINCIPAL_NAME value must be unique within your Azure Active Directory tenant. 如果收到“'http://acr-service-principal' already exists.”错误,请为服务主体指定另一名称。If you receive an "'http://acr-service-principal' already exists." error, specify a different name for the service principal.

如果需要授予其他权限,可以选择修改 az ad sp create-for-rbac 命令中的 --role 值。You can optionally modify the --role value in the az ad sp create-for-rbac command if you want to grant different permissions.

运行脚本后,请记下服务主体的 ID密码After you run the script, take note of the service principal's ID and password. 获得其凭据后,可以配置应用程序和服务使其作为服务主体对容器注册表进行身份验证。Once you have its credentials, you can configure your applications and services to authenticate to your container registry as the service principal.

#!/bin/bash

# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal

# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# reader:      pull only
# contributor: push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role reader --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)

# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"

使用现有的服务主体Use an existing service principal

若要向现有服务主体授予注册表访问权限,必须为服务主体分配新角色。To grant registry access to an existing service principal, you must assign a new role to the service principal. 与创建新的服务主体一样,可以授予“拉取”、“推送和拉取”以及“所有者”访问权限。As with creating a new service principal, you can grant pull, push and pull, and owner access.

以下脚本使用 az role assignment create 命令向 SERVICE_PRINCIPAL_ID 变量中指定的服务主体授予“拉取”权限。The following script uses the az role assignment create command to grant pull permissions to a service principal you specify in the SERVICE_PRINCIPAL_ID variable. 如果要授予不同的访问级别,请调整 --role 值。Adjust the --role value if you'd like to grant a different level of access.

#!/bin/bash

# Modify for your environment. The ACR_NAME is the name of your Azure Container
# Registry, and the SERVICE_PRINCIPAL_ID is the service principal's 'appId' or
# one of its 'servicePrincipalNames' values.
ACR_NAME=mycontainerregistry
SERVICE_PRINCIPAL_ID=<service-principal-ID>

# Populate value required for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Assign the desired role to the service principal. Modify the '--role' argument
# value as desired:
# reader:      pull only
# contributor: push and pull
# owner:       push, pull, and assign roles
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role reader

使用服务主体进行身份验证Authenticate using the service principal

若要使用服务主体启动 Azure 容器实例中的容器,请为 --registry-username 指定其 ID,并为 --registry-password 指定其密码。To launch a container in Azure Container Instances using a service principal, specify its ID for --registry-username, and its password for --registry-password.

az container create \
    --resource-group myResourceGroup \
    --name mycontainer \
    --image mycontainerregistry.azurecr.cn/myimage:v1 \
    --registry-login-server mycontainerregistry.azurecr.cn \
    --registry-username <service-principal-ID> \
    --registry-password <service-principal-password>

示例脚本Sample scripts

可以在 GitHub 上找到前面的 Azure CLI 示例脚本以及 Azure PowerShell 所对应的版本:You can find the preceding sample scripts for Azure CLI on GitHub, as well versions for Azure PowerShell:

后续步骤Next steps

以下文章包含有关使用服务主体和 ACR 的其他详细信息:The following articles contain additional details on working with service principals and ACR: