✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.3.2 ACR Repository Authentication

A focused guide to ACR Repository Authentication, connecting core concepts with practical Docker and container operations.

ACR repository authentication covers the specific methods available for authenticating to an Azure Container Registry instance — Azure AD-based login, an admin account, or a dedicated service principal — each suited to different scenarios from interactive use to automated pipelines.

Authenticating Interactively With Azure AD

For interactive, individual use, authenticating through the currently logged-in Azure CLI session is the most straightforward approach.

az login
az acr login --name myacrregistry
Using the Registry's Admin Account

ACR provides an optional admin account with a username and password, a simpler but less granular authentication method generally discouraged in favor of Azure AD-based access for anything beyond quick testing.

az acr credential show --name myacrregistry
docker login myacrregistry.azurecr.io -u <admin-username> -p <admin-password>

This admin account grants full access to the registry, lacking the fine-grained, identity-specific permission scoping Azure AD-based RBAC provides.

Using a Service Principal for Automated Access

For automated systems like CI/CD pipelines, a dedicated service principal, granted specifically scoped permissions, provides a more appropriate, auditable authentication method than the broad admin account.

az ad sp create-for-rbac --scopes <registry-resource-id> --role AcrPush

docker login myacrregistry.azurecr.io -u <service-principal-id> -p <service-principal-password>
Why Scoped Service Principals Are Preferred for Automation

A service principal scoped specifically to push access for one registry limits the potential impact if that credential were ever compromised, in contrast to the broader, unscoped access the admin account provides.

az role assignment create --assignee <service-principal-id> --scope <registry-resource-id> --role AcrPush
Why ACR Repository Authentication Matters

Choosing the appropriate authentication method for a given context — interactive Azure AD login for individual use, scoped service principals for automation, with the admin account reserved for limited, simple scenarios — is an important practical consideration for securely operating an ACR instance.

Related content