如何为 Container Registry Azure 创建只读访问密钥
How to create a read only access key for Container Registry Azure
我在 Azure 上使用基本帐户类型。
我有:一个只有一个访问密钥(管理员一个)的私有注册表
我想要:能够创建更多具有只读 (acrpull) 访问权限的访问密钥。
问题:我从这里读得是否正确:https://docs.microsoft.com/en-us/azure/container-registry/container-registry-skus#sku-feature-matrix 这是不允许的(仅在高级帐户中)?
有没有办法在基本帐户上创建另一个具有 acrpull 访问权限的令牌?
此致,
当然可以。它使用服务主体进行身份验证。您需要为 ACR 创建分配有 acrpull 角色的服务主体。
这是一个使用 CLI 命令的示例脚本:
#!/bin/bash
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"
您可以在 Azure Container Registry authentication with service principals, and also you can choose an appropriate role as you need when you take a look at Azure Container Registry roles and permissions 中获得更多详细信息。
我在 Azure 上使用基本帐户类型。
我有:一个只有一个访问密钥(管理员一个)的私有注册表
我想要:能够创建更多具有只读 (acrpull) 访问权限的访问密钥。
问题:我从这里读得是否正确:https://docs.microsoft.com/en-us/azure/container-registry/container-registry-skus#sku-feature-matrix 这是不允许的(仅在高级帐户中)?
有没有办法在基本帐户上创建另一个具有 acrpull 访问权限的令牌?
此致,
当然可以。它使用服务主体进行身份验证。您需要为 ACR 创建分配有 acrpull 角色的服务主体。
这是一个使用 CLI 命令的示例脚本:
#!/bin/bash
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull: pull only
# acrpush: push and pull
# owner: push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"
您可以在 Azure Container Registry authentication with service principals, and also you can choose an appropriate role as you need when you take a look at Azure Container Registry roles and permissions 中获得更多详细信息。