ACR Transfer with Az CLI
This article shows how to use the ACR Transfer feature with the acrtransfer Az CLI extension.
Complete prerequisites
Please complete the prerequisites outlined here prior to attempting the actions in this article. This means that:
- You have an existing Premium SKU Registry in both clouds.
- You have an existing Storage Account Container in both clouds.
- You have an existing Keyvault with a secret containing a valid SAS token with the necessary permissions in both clouds.
- You have a recent version of Az CLI installed in both clouds.
Install the Az CLI extension
In AzureCloud, you can install the extension with the following command:
az extension add --name acrtransfer
In AzureCloud and other clouds, you can install the blob directly from a public storage account container. The blob is hosted in the acrtransferext storage account, dist container, acrtransfer-1.0.0-py2.py3-none-any.wh blob. You may need to change the storage URI suffix depending on which cloud you are in. The following will install in AzureCloud:
az extension add --source https://acrtransferext.blob.core.windows.net/dist/acrtransfer-1.0.0-py2.py3-none-any.whl
Create ExportPipeline with the acrtransfer Az CLI extension
Create an ExportPipeline resource for your AzureCloud container registry using the acrtransfer Az CLI extension.
Create an export pipeline with no options and a system-assigned identity:
az acr export-pipeline create \
--resource-group $MyRG \
--registry $MyReg \
--name $MyPipeline \
--secret-uri https://$MyKV.vault.azure.net/secrets/$MySecret \
--storage-container-uri https://$MyStorage.blob.core.windows.net/$MyContainer
Create an export pipeline with all possible options and a user-assigned identity:
az acr export-pipeline create \
--resource-group $MyRG \
--registry $MyReg \
--name $MyPipeline \
--secret-uri https://$MyKV.vault.azure.net/secrets/$MySecret \
--storage-container-uri https://$MyStorage.blob.core.windows.net/$MyContainer \
--options OverwriteBlobs ContinueOnErrors \
--assign-identity /subscriptions/$MySubID/resourceGroups/$MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$MyIdentity
Export options
The options property for the export pipelines supports optional boolean values. The following values are recommended:
| Parameter | Value |
|---|---|
| options | OverwriteBlobs - Overwrite existing target blobs ContinueOnErrors - Continue export of remaining artifacts in the source registry if one artifact export fails. |
Give the ExportPipeline identity keyvault policy access
If you created your pipeline with a user-assigned identity, simply give this user-assigned identity secret get access policy permissions on the keyvault.
If you created your pipeline with a system-assigned identity, you will first need to retrieve the principalId that the system has assigned to your pipeline resource.
Run the following command to retrieve your pipeline resource:
az acr export-pipeline show --resource-group $MyRG --registry $MyReg --name $MyPipeline
From this output, you will want to copy the value in the principalId field.
Then, you will run the following command to give this principal the appropriate secret get access policy permissions on your keyvault.
az keyvault set-policy --name $MyKeyvault --secret-permissions get --object-id $MyPrincipalID
Create ImportPipeline with the acrtransfer Az CLI extension
Create an ImportPipeline resource in your target container registry using the acrtransfer Az CLI extension. By default, the pipeline is enabled to create an Import PipelineRun automatically when the attached storage account container receives a new artifact blob.
Create an import pipeline with no options and a system-assigned identity:
az acr import-pipeline create \
--resource-group $MyRG \
--registry $MyReg \
--name $MyPipeline \
--secret-uri https://$MyKV.vault.azure.net/secrets/$MySecret \
--storage-container-uri https://$MyStorage.blob.core.windows.net/$MyContainer
Create an import pipeline with all possible options, source-trigger disabled, and a user-assigned identity:
az acr import-pipeline create \
--resource-group $MyRG \
--registry $MyReg \
--name $MyPipeline \
--secret-uri https://$MyKV.vault.azure.net/secrets/$MySecret \
--storage-container-uri https://$MyStorage.blob.core.windows.net/$MyContainer \
--options DeleteSourceBlobOnSuccess OverwriteTags ContinueOnErrors \
--assign-identity /subscriptions/$MySubID/resourceGroups/$MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$MyIdentity \
--source-trigger-enabled False
Import options
The options property for the import pipeline supports optional boolean values. The following values are recommended:
| Parameter | Value |
|---|---|
| options | OverwriteTags - Overwrite existing target tags DeleteSourceBlobOnSuccess - Delete the source storage blob after successful import to the target registry ContinueOnErrors - Continue import of remaining artifacts in the target registry if one artifact import fails. |
Give the ImportPipeline identity keyvault policy access
If you created your pipeline with a user-assigned identity, simply give this user-assigned identity secret get access policy permissions on the keyvault.
If you created your pipeline with a system-assigned identity, you will first need to retrieve the principalId that the system has assigned to your pipeline resource.
Run the following command to retrieve your pipeline resource:
az acr import-pipeline show --resource-group $MyRG --registry $MyReg --name $MyPipeline
From this output, you will want to copy the value in the principalId field.
Then, you will run the following command to give this principal the appropriate secret get access policy on your keyvault.
az keyvault set-policy --name $MyKeyvault --secret-permissions get --object-id $MyPrincipalID
Create PipelineRun for export with the acrtransfer Az CLI extension
Create a PipelineRun resource for your container registry using the acrtransfer Az CLI extension. This resource runs the ExportPipeline resource you created previously and exports specified artifacts from your container registry as a blob to your storage account container.
Create an export pipeline-run:
az acr pipeline-run create \
--resource-group $MyRG \
--registry $MyReg \
--pipeline $MyPipeline \
--name $MyPipelineRun \
--pipeline-type export \
--storage-blob $MyBlob \
--artifacts hello-world:latest hello-world@sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 \
--force-redeploy
If redeploying a PipelineRun resource with identical properties, you must use the --force-redeploy flag.
It can take several minutes for artifacts to export. When deployment completes successfully, verify artifact export by listing the exported blob in the container of the source storage account. For example, run the az storage blob list command:
az storage blob list --account-name $MyStorageAccount --container $MyContainer --output table
Transfer blob across domain
In most use-cases, you will now use a Cross Domain Solution or other method to transfer your blob from the storage account in your source domain (the storage account associated with your export pipeline) to the storage account in your target domain (the storage account associated with your import pipeline). At this point, we will assume that the blob has arrived in the target domain storage account associated with your import pipeline.
Trigger ImportPipeline resource
If you did not use the --source-trigger-enabled False parameter when creating your import pipeline, the pipeline will be triggered within 15 minutes after the blob arrives in the storage account container. It can take several minutes for artifacts to import. When the import completes successfully, verify artifact import by listing the tags on the repository you are importing in the target container registry. For example, run az acr repository show-tags:
az acr repository show-tags --name $MyRegistry --repository $MyRepository
Note
Source Trigger will only import blobs that have a Last Modified time within the last 60 days. If you intend to use Source Trigger to import blobs older than that, please refresh the Last Modified time of the blobs by add blob metadata to them or else import them with manually created pipeline runs.
If you did use the --source-trigger-enabled False parameter when creating your ImportPipeline, you will need to create a PipelineRun manually, as shown in the following section.
Create PipelineRun for import with the acrtransfer Az CLI extension
Create a PipelineRun resource for your container registry using the acrtransfer Az CLI extension. This resource runs the ImportPipeline resource you created previously and imports specified blobs from your storage account into your container registry.
Create an import pipeline-run:
az acr pipeline-run create \
--resource-group $MyRG \
--registry $MyReg \
--pipeline $MyPipeline \
--name $MyPipelineRun \
--pipeline-type import \
--storage-blob $MyBlob \
--force-redeploy
If redeploying a PipelineRun resource with identical properties, you must use the --force-redeploy flag.
It can take several minutes for artifacts to import. When the import completes successfully, verify artifact import by listing the repositories in the target container registry. For example, run az acr repository show-tags:
az acr repository show-tags --name $MyRegistry --repository $MyRepository
Delete ACR Transfer resources
Delete an ExportPipeline:
az acr export-pipeline delete --resource-group $MyRG --registry $MyReg --name $MyPipeline
Delete an ImportPipeline:
az acr import-pipeline delete --resource-group $MyRG --registry $MyReg --name $MyPipeline
Delete a PipelineRun resource. Note that this does not reverse the action taken by the PipelineRun. This is more like deleting the log of the PipelineRun.
az acr pipeline-run delete --resource-group $MyRG --registry $MyReg --name $MyPipelineRun
ACR Transfer troubleshooting
View ACR Transfer Troubleshooting for troubleshooting guidance.
Next steps
- Learn how to block creation of export pipelines from a network-restricted container registry.