You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-content-trust.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ manager: gwallace
7
7
8
8
ms.service: container-registry
9
9
ms.topic: article
10
-
ms.date: 05/06/2019
10
+
ms.date: 09/06/2019
11
11
ms.author: danlep
12
12
---
13
13
# Content trust in Azure Container Registry
@@ -38,7 +38,7 @@ Content trust is managed through the use of a set of cryptographic signing keys.
38
38
39
39
Your first step is to enable content trust at the registry level. Once you enable content trust, clients (users or services) can push signed images to your registry. Enabling content trust on your registry does not restrict registry usage only to consumers with content trust enabled. Consumers without content trust enabled can continue to use your registry as normal. Consumers who have enabled content trust in their clients, however, will be able to see *only* signed images in your registry.
40
40
41
-
To enable content trust for your registry, first navigate to the registry in the Azure portal. Under **Policies**, select **Content Trust** > **Enabled** > **Save**.
41
+
To enable content trust for your registry, first navigate to the registry in the Azure portal. Under **Policies**, select **Content Trust** > **Enabled** > **Save**. You can also use the [az acr config content-trust update][az-acr-config-content-trust-update] command in the Azure CLI.
42
42
43
43
![Enabling content trust for a registry in the Azure portal][content-trust-01-portal]
Only the users or systems you've granted permission can push trusted images to your registry. To grant trusted image push permission to a user (or a system using a service principal), grant their Azure Active Directory identities the `AcrImageSigner` role. This is in addition to the `AcrPush` (or equivalent) role required for pushing images to the registry. For details, see [Azure Container Registry roles and permissions](container-registry-roles.md).
73
73
74
+
> [!NOTE]
75
+
> You can't grant trusted image push permission to the [admin account](container-registry-authentication.md#admin-account) of an Azure container registry.
76
+
74
77
Details for granting the `AcrImageSigner` role in the Azure portal and the Azure CLI follow.
75
78
76
79
### Azure portal
@@ -108,7 +111,8 @@ az role assignment create --scope $REGISTRY_ID --role AcrImageSigner --assignee
108
111
109
112
The `<service principal ID>` can be the service principal's **appId**, **objectId**, or one of its **servicePrincipalNames**. For more information about working with service principals and Azure Container Registry, see [Azure Container Registry authentication with service principals](container-registry-auth-service-principal.md).
110
113
111
-
After any role changes, run `az acr login` to refresh the local identity token for the Azure CLI so that the new roles can take effect.
114
+
> [!IMPORTANT]
115
+
> After any role changes, run `az acr login` to refresh the local identity token for the Azure CLI so that the new roles can take effect. For information about verifying roles for an identity, see [Manage access to Azure resources using RBAC and Azure CLI](../role-based-access-control/role-assignments-cli.md) and [Troubleshoot RBAC for Azure resources](../role-based-access-control/troubleshooting.md).
112
116
113
117
## Push a trusted image
114
118
@@ -209,3 +213,4 @@ To disable content trust for your registry, navigate to the registry in the Azur
0 commit comments