You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-edge/production-checklist.md
+17-3Lines changed: 17 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to take your Azure IoT Edge solution from development to
4
4
author: kgremban
5
5
manager: philmea
6
6
ms.author: kgremban
7
-
ms.date: 08/09/2019
7
+
ms.date: 4/02/2020
8
8
ms.topic: conceptual
9
9
ms.service: iot-edge
10
10
services: iot-edge
@@ -129,11 +129,25 @@ When moving from test scenarios to production scenarios, remember to remove debu
129
129
* Manage access to your container registry
130
130
* Use tags to manage versions
131
131
132
-
### Manage access to your container registry
132
+
### Manage access to your container registry with a service principal
133
133
134
134
Before you deploy modules to production IoT Edge devices, ensure that you control access to your container registry so that outsiders can't access or make changes to your container images. Use a private, not public, container registry to manage container images.
135
135
136
-
In the tutorials and other documentation, we instruct you to use the same container registry credentials on your IoT Edge device as you use on your development machine. These instructions are only intended to help you set up testing and development environments more easily, and should not be followed in a production scenario. Azure Container Registry recommends [authenticating with service principals](../container-registry/container-registry-auth-service-principal.md) when applications or services pull container images in an automated or otherwise unattended manner, as IoT Edge devices do. Create a service principal with read-only access to your container registry, and provide that username and password in the deployment manifest.
136
+
In the tutorials and other documentation, we instruct you to use the same container registry credentials on your IoT Edge device as you use on your development machine. These instructions are only intended to help you set up testing and development environments more easily, and should not be followed in a production scenario. Azure Container Registry recommends [authenticating with service principals](../container-registry/container-registry-auth-service-principal.md) when applications or services pull container images in an automated or otherwise unattended manner (headless), as IoT Edge devices do.
137
+
138
+
To create a service principal, run the two scripts as described in [create a service principal](../container-registry/container-registry-auth-aci.md#create-a-service-principal). These scripts do the following tasks:
139
+
140
+
* The first script creates the service principal. It outputs the Service principal ID and the Service principal password. Store these values securely in your records.
141
+
142
+
* The second script creates role assignments to grant to the service principal, which can be run subsequently if needed. We recommend applying the **acrPull** user role for the `role` parameter. For a list of roles, see [Azure Container Registry roles and permissions](../container-registry/container-registry-roles.md)
143
+
144
+
To authenticate using a service principal, provide the service principal ID and password that you obtained from the first script.
145
+
146
+
* For the username or client ID, specify the service principal ID.
147
+
148
+
* For the password or client secret, specify the service principal password.
149
+
150
+
For an example of launching a container instance with Azure CLI, see [Authenticate using the service principal](../container-registry/container-registry-auth-aci.md#authenticate-using-the-service-principal).
0 commit comments