Permission

Question

Hi,

We want to setup a shared container registry which is expected to be used by multiple teams How can we limit access to specific/individual repository? My understanding, we can create Scope Maps and then create or assign tokens to allow different teams use the same container registry and having access limited to one repository only within the same azure container registry.

But as per documentation we have some limitations that says we cannot do that for service principal. Is that correct ?

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions#preview-limitations

Is there a way to limit access at the repo level within the azure container registry ?

Are there any other limitations ?

You can't currently assign repository-scoped permissions to an Azure Active Directory identity, such as a service principal or managed identity.

You can't create a scope map in a registry enabled for anonymous pull access.

Answer 1

@Niren Adhikary (NAD)

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

I checked with internal team on this and this is accurate. Tokens were introduced specifically for the purpose of repo scoped access control which other auth options don't share and at the moment. That is the only current solution that is supported for the purpose of offering repository scoped restricted access.

In your scenario the main limitation seems to be the usage of AAD identities with scope maps, currently it is limited to just token (user and pass) authentication.
However, the other limitation that is mentioned in the document about the anonymous pull is not a limitation, and team will update the documentation accordingly.

Hope this helps.
If you need further help on this, tag me in a comment.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.