✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.3.1 ACR Identity Integration

A focused guide to ACR Identity Integration, connecting core concepts with practical Docker and container operations.

ACR identity integration uses Azure Active Directory (Azure AD) to authenticate and authorize access to an Azure Container Registry instance, allowing registry permissions to be managed through the same identity system governing the rest of an Azure subscription's resources.

Authenticating Using Azure AD Identity

Logging into ACR through the Azure CLI relies on the currently authenticated Azure AD identity, rather than a separate, registry-specific credential.

az login
az acr login --name myacrregistry

This authentication flow depends entirely on the already-established Azure AD session, with no separate registry login step required.

Granting Role-Based Access to a Registry

Azure's role-based access control (RBAC) system grants specific roles — such as AcrPull or AcrPush — to a given identity for a specific registry.

az role assignment create --assignee <service-principal-id> --scope <registry-resource-id> --role AcrPull

This grants pull-only access to the specified identity, without broader push or administrative permissions on this registry.

Why Managed Identities Simplify Access for Azure Compute Resources

An Azure compute resource, such as an AKS cluster or an Azure Container App, can be assigned a managed identity granted appropriate ACR permissions, allowing it to pull images without managing any separate, explicit credential at all.

az aks update -n myAKSCluster -g myResourceGroup --attach-acr myacrregistry

This command handles the underlying managed identity role assignment automatically, simplifying what would otherwise require several explicit steps.

Auditing Current Registry Access

Reviewing existing role assignments for a registry confirms exactly which identities currently have what level of access.

az role assignment list --scope <registry-resource-id>
Why ACR Identity Integration Matters

Managing registry access through Azure AD and RBAC keeps ACR permissions consistent with how the rest of an Azure subscription's resources are governed, simplifying both initial access configuration and ongoing access auditing.

Related content