Skip to content

updating the RBAC +ABAC scenario of ACR #510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

updating the RBAC +ABAC scenario of ACR #510

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
18d03ea
updating the RBAC +ABAC scenario of ACR
sanjayananthamurthy Aug 1, 2025
40380d4
Fix issues
v-regandowner Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions articles/machine-learning/concept-endpoints-online-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,18 @@ An online deployment runs your user container with the endpoint identity, that i
- For a SAI, the identity is created automatically when you create the endpoint, and roles with fundamental permissions, such as the Container Registry pull permission **AcrPull** and the **Storage Blob Data Reader**, are automatically assigned.
- For a UAI, you need to create the identity first, and then associate it with the endpoint when you create the endpoint. You're also responsible for assigning proper roles to the UAI as needed.

> [!IMPORTANT]
> If you configure your Container registry to use **[RBAC Registry + ABAC Repository Permissions](/azure/container-registry/container-registry-rbac-abac-repository-permissions?tabs=azure-portal)**
>
> ![Screenshot showing an ABAC permission on container.](/azure/container-registry/media/container-registry-rbac-abac-repository-permissions/rbac-abac-repository-permissions-02-update-registry.png)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image doesn't exist. Please replace it with a valid one.

>
>In this case some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
>In this case some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries.
>In this case, some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries.

>
> For example, the **AcrPull**, **AcrPush**, and **AcrDelete** roles aren't honored in an ABAC-enabled registry.
> Instead, in ABAC-enabled registries, use the `Container Registry Repository Reader`, `Container Registry Repository Writer`, and `Container Registry Repository Contributor` roles to grant either registry-wide or repository-specific image permissions.
>
> Ensure that the SAI or the UAI of your endpoint has the **Container Registry Repository Contributor** role assigned on the Container registry.

### Automatic role assignment for endpoint identity

If the endpoint identity is a SAI, the following roles are assigned to the endpoint identity for convenience.
Expand Down