You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/allow-access-trusted-services.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,8 +16,8 @@ Use the Azure Cloud Shell or a local installation of the Azure CLI to run the co
16
16
17
17
## Limitations
18
18
19
-
* Certain registry access scenarios with trusted services require a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Except where noted that a user-assigned managed identity is supported, only a system-assigned identity may be used.
20
-
* Allowing trusted services doesn't apply to a container registry configured with a [service endpoint](container-registry-vnet.md). The feature only affects registries that are restricted with a [private endpoint](container-registry-private-link.md) or that have [public IP access rules](container-registry-access-selected-networks.md) applied.
19
+
* Certain registry access scenarios with trusted services require a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Except where noted that a user-assigned managed identity is supported, only a system-assigned identity may be used.
20
+
* Allowing trusted services doesn't apply to a container registry configured with a [service endpoint](container-registry-vnet.md). The feature only affects registries that are restricted with a [private endpoint](container-registry-private-link.md) or that have [public IP access rules](container-registry-access-selected-networks.md) applied.
21
21
22
22
## About trusted services
23
23
@@ -26,17 +26,17 @@ Azure Container Registry has a layered security model, supporting multiple netwo
26
26
*[Private endpoint with Azure Private Link](container-registry-private-link.md). When configured, a registry's private endpoint is accessible only to resources within the virtual network, using private IP addresses.
27
27
*[Registry firewall rules](container-registry-access-selected-networks.md), which allow access to the registry's public endpoint only from specific public IP addresses or address ranges. You can also configure the firewall to block all access to the public endpoint when using private endpoints.
28
28
29
-
When deployed in a virtual network or configured with firewall rules, a registry denies access to users or services from outside those sources.
29
+
When deployed in a virtual network or configured with firewall rules, a registry denies access to users or services from outside those sources.
30
30
31
-
Several multi-tenant Azure services operate from networks that can't be included in these registry network settings, preventing them from performing operations such as pull or push images to the registry. By designating certain service instances as "trusted", a registry owner can allow select Azure resources to securely bypass the registry's network settings to perform registry operations.
31
+
Several multi-tenant Azure services operate from networks that can't be included in these registry network settings, preventing them from performing operations such as pull or push images to the registry. By designating certain service instances as "trusted", a registry owner can allow select Azure resources to securely bypass the registry's network settings to perform registry operations.
32
32
33
33
### Trusted services
34
34
35
35
Instances of the following services can access a network-restricted container registry if the registry's **allow trusted services** setting is enabled (the default). More services will be added over time.
36
36
37
37
Where indicated, access by the trusted service requires additional configuration of a managed identity in a service instance, assignment of an [RBAC role](container-registry-roles.md), and authentication with the registry. For example steps, see [Trusted services workflow](#trusted-services-workflow), later in this article.
38
38
39
-
|Trusted service |Supported usage scenarios | Configure managed identity with RBAC role
39
+
|Trusted service |Supported usage scenarios | Configure managed identity with RBAC role|
40
40
|---------|---------|------|
41
41
| Azure Container Instances |[Deploy to Azure Container Instances from Azure Container Registry using a managed identity](../container-instances/using-azure-container-registry-mi.md)| Yes, either system-assigned or user-assigned identity |
42
42
| Microsoft Defender for Cloud | Vulnerability scanning by [Microsoft Defender for container registries](scan-images-defender.md)| No |
@@ -45,7 +45,7 @@ Where indicated, access by the trusted service requires additional configuration
45
45
|Azure Container Registry |[Import images](container-registry-import-images.md) to or from a network-restricted Azure container registry | No |
46
46
47
47
> [!NOTE]
48
-
> Curently, enabling the allow trusted services setting doesn't apply to App Service.
48
+
> Currently, enabling the allow trusted services setting doesn't apply to App Service.
By default, the allow trusted services setting is enabled in a new Azure container registry.
68
+
By default, the allow trusted services setting is enabled in a new Azure container registry.
69
69
70
70
To disable or re-enable the setting in the portal:
71
71
72
72
1. In the portal, navigate to your container registry.
73
-
1. Under **Settings**, select **Networking**.
73
+
1. Under **Settings**, select **Networking**.
74
74
1. In **Allow public network access**, select **Selected networks** or **Disabled**.
75
75
1. Do one of the following:
76
-
* To disable access by trusted services, under **Firewall exception**, uncheck **Allow trusted Microsoft services to access this container registry**.
76
+
* To disable access by trusted services, under **Firewall exception**, uncheck **Allow trusted Microsoft services to access this container registry**.
77
77
* To allow trusted services, under **Firewall exception**, check **Allow trusted Microsoft services to access this container registry**.
78
78
1. Select **Save**.
79
79
@@ -84,21 +84,21 @@ Here's a typical workflow to enable an instance of a trusted service to access a
84
84
1. Enable a managed identity in an instance of one of the [trusted services](#trusted-services) for Azure Container Registry.
85
85
1. Assign the identity an [Azure role](container-registry-roles.md) to your registry. For example, assign the ACRPull role to pull container images.
86
86
1. In the network-restricted registry, configure the setting to allow access by trusted services.
87
-
1. Use the identity's credentials to authenticate with the network-restricted registry.
87
+
1. Use the identity's credentials to authenticate with the network-restricted registry.
88
88
1. Pull images from the registry, or perform other operations allowed by the role.
89
89
90
90
### Example: ACR Tasks
91
91
92
92
The following example demonstrates using ACR Tasks as a trusted service. See [Cross-registry authentication in an ACR task using an Azure-managed identity](container-registry-tasks-cross-registry-authentication.md) for task details.
93
93
94
94
1. Create or update an Azure container registry.
95
-
[Create](container-registry-tasks-cross-registry-authentication.md#option-2-create-task-with-system-assigned-identity) an ACR task.
95
+
[Create](container-registry-tasks-cross-registry-authentication.md#option-2-create-task-with-system-assigned-identity) an ACR task.
96
96
* Enable a system-assigned managed identity when creating the task.
97
97
* Disable default auth mode (`--auth-mode None`) of the task.
98
98
1. Assign the task identity [an Azure role to access the registry](container-registry-tasks-authentication-managed-identity.md#3-grant-the-identity-permissions-to-access-other-azure-resources). For example, assign the AcrPush role, which has permissions to pull and push images.
99
-
2.[Add managed identity credentials for the registry](container-registry-tasks-authentication-managed-identity.md#4-optional-add-credentials-to-the-task) to the task.
100
-
3. To confirm that the task bypasses network restrictions, [disable public access](container-registry-access-selected-networks.md#disable-public-network-access) in the registry.
101
-
4. Run the task. If the registry and task are configured properly, the task runs successfully, because the registry allows access.
99
+
1.[Add managed identity credentials for the registry](container-registry-tasks-authentication-managed-identity.md#4-optional-add-credentials-to-the-task) to the task.
100
+
1. To confirm that the task bypasses network restrictions, [disable public access](container-registry-access-selected-networks.md#disable-public-network-access) in the registry.
101
+
1. Run the task. If the registry and task are configured properly, the task runs successfully, because the registry allows access.
0 commit comments