Push-only authentication about acr HOT 6 CLOSED

@phj-incom how is the structure of your repositories? if it's hierarchical the Tokens feature that Sajay mentions could help.

You can define Token1 to only have access to team-a/* and Token2 to only have access to team-b/*

We are in the process of merging the documentation, but the feature is live now. Please let us know what you think.

from acr.

The image push process (eg, docker push myregisty.azurecr.io/myimage:mytag) needs to read the content from the registry so even your intention is write-only but it actually still needs the permission for read operation.

from acr.

The image push process (eg, docker push myregisty.azurecr.io/myimage:mytag) needs to read the content from the registry so even your intention is write-only but it actually still needs the permission for read operation.

I see, that’s what I feared. I have 14 teams that should not be allowed to pull or push to each others’ images. Is my only solution really 14 registries in azure or use another container registry that supports some kind of namespace separation?

My idea for a solution with a push-only token included the immutable feature as well as image signing and verification, so team A in kubernetes namespace A can only deploy images signed with a private key scoped to their GitHub repos. I would really like to not have the management overhead and price of 14 registries.

from acr.

@phj-incom are you looking to just lock down repositories to teams since I understand a registry per team is doesn't sound feasible. ? If it is about providing permissions to just specific repositories then currently the only option is https://aka.ms/acr/tokens . But this isn't on AAD and the AAD solution is in the works.
Including @johnsonshi for AAD based repository permissions.

from acr.

@phj-incom are you looking to just lock down repositories to teams since I understand a registry per team is doesn't sound feasible. ? If it is about providing permissions to just specific repositories then currently the only option is https://aka.ms/acr/tokens . But this isn't on AAD and the AAD solution is in the works. Including @johnsonshi for AAD based repository permissions.

My problem is that I have 600 repositories in total and some teams have up to a hundred repositories. I need a way to create tokens based on the namespace in the registry.

Also, will it be possible to use the content trust feature with images signed by cosign instead of notary?

from acr.

@phj-incom, ACR has 2 upcoming features that will enable your scenario.

With Tokens and Scope Maps (documented by @cegraybl above), you can do so but its auth mechanism isn't AAD based. That may fit your scenario if its more IOT oriented or your consumer will not have an SP or managed identity.

If you need AAD-based auth:

With AAD ABAC feature that ACR is working on, you can grant AAD role assignments and attach conditions so that the role assignment only kicks in if certain conditions match. For instance, you could grant one of write, read, or delete permissions (or all three), to a specific AAD identity (SP/MI/user/group), but only apply the role assignment for repos where the repo name matches team-a/*. For an idea of how ABAC would pan out, check out Storage Account's ABAC experience.

https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview

from acr.