Configure Service Principal Authentication for Azure Container Registry

Azure Container Registry provides the functionality to store and share private container images. Within this hands-on lab, we’ll review the permissions for a service principal to access Azure Container Registry. This is helpful in scenarios where you have apps/scripts that need some form of automated access to push/pull images to/from your registry. We’ll push and pull some images from the registry and run a container image.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Confirm Service Principal Access to Push/Pull Container Images

Confirm the service principal has access via Azure RBAC to push/pull container images.
1. Collect the registry login server from the Azure portal. You’ll need it later when <REGISTRY_LOGIN_SERVER> is specified.

Push/Pull and Run Container Images Using the Service Principal

Log in to the VM.
Log in to the container registry using the service principal’s credentials and the following code: docker login -u <SP_APPLICATION_ID> -p <SP_SECRET> <REGISTRY_LOGIN_SERVER>
Pull the ASP.NET sample container image from Microsoft’s public repository using docker pull mcr.microsoft.com/dotnet/samples:aspnetapp .
Tag the image with your repository using docker tag mcr.microsoft.com/dotnet/samples:aspnetapp <REGISTRY_LOGIN_SERVER>/aspnetapp.
Push the image to your repository using docker push <REGISTRY_LOGIN_SERVER>/aspnetapp.
Retreive the local Microsoft image ID with docker image ls .
Remove the Microsoft image by running docker image rm <IMAGE_ID> -f.
Pull the image from your repository with docker pull <REGISTRY_LOGIN_SERVER>/aspnetapp.
Run the image with docker run -p 8080:80 -d <REGISTRY_LOGIN_SERVER>/aspnetapp:latest.
Access http://localhost:8080 to confirm the container is running.

Scenario

To help you walk through the lab, consider the following scenario:

You work for a cybersecurity company and one of the services you offer is vulnerability scanning for container images. The scanning technology is proprietary and you need to provide an authentication mechanism to authenticate against your Azure container registry that is supported outside of your Azure tenant.

You evaluate the options and determine that you can use an Azure AD service principal for this purpose.

An Azure container registry has been deployed along with a VM that will be used to simulate a VM outside of Azure. With the existing resources, you will complete the following:

Confirm the service principal has access via Azure RBAC to push/pull container images.

Push/Pull and run container images using the service principal credentials.

Lab Setup

Log in to the Azure portal by right-clicking Open Azure Portal and selecting the option to open it in a new private browser window (This option will read differently depending on your browser — for example, in Chrome, it reads Open Link in Incognito Window.). Then, sign in using the credentials provided on the lab page.

The objectives for this hands-on lab can be completed using the Azure portal and the provided VM.

Credentials

You will have access to 3 sets of credentials for this lab:

Portal credentials

VM credentials

Service principal credentials

Important: You may need to navigate to the second page of credentials to see all 3.

Remote Desktop Clients

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.