IOT device authentication with ACR

Andy Doan 1

I'm looking to have a fleet of IoT devices that need pull access to a private Azure Container Registry. I'm trying to determine the recommended approach to having them do a docker login or docker-credential helper. I've created an IoT hub and have a device connecting using an x509 cert. I'm hoping there's some way I can leverage that identity to somehow authenticate with ACR. This shared access policy and token service looks like it might help:

https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-dev-guide-sas?tabs=node#authenticating-a-device-to-iot-hub

but I can't quite connect the dots.

I'm new to Azure so I'm struggling to articulate this well. Basically, I'm trying understand if there is an Azure equivalent to something like:

https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/

thanks

1 answer

Sander van de Velde 28,386 Reputation points MVP

2022-02-14T23:24:31.51+00:00

Hello @Andy Doan ,

Azure IoT (Edge) devices can create a secure connection using e.g. a connection string or an x509 certificate.

The docker credentials to non-public container repositories, used by edge devices are not managed by these device credentials.

Azure IoT edge devices, once the runtime starts and a secure connection is set up, will ask for a deployment manifest using an outbound connection.

This document (it's just a JSON structure) describes which Docker containers must be deployed on the device, which docker container create options must be used, any 'desired properties' assigned to each module.

The deployment manifest can also contain the credentials needed for one or more private registries:

The credentials are stored plain text in the deployment manifest but this manifest is not accessible once entered in the Azure IoT Device registration. Normally, this is automated with scripts so the chance of leaking credentials is minimal.

I can recommend this free learning path all about Azure IoT Edge.
Please sign in to rate this answer.
Andy Doan 1 Reputation point

2022-02-15T18:07:13.927+00:00

thanks, i'm really hoping for a solution that doesn't require me to send user/password creds to every device. However, it's looking like that might not be possible.

Sander van de Velde 28,386 Reputation points MVP

2022-02-15T18:27:04.757+00:00

Hello @Andy Doan ,

you can always make your Azure Container registry expose public containers. Though, everyone knowing the address of the container can consume it.

On the other hand, the impact of adding the ACR credentials in the Deployment manifest is minimal. You must construct this manifest to meet your needs either way.

If you work with a deployment pipeline, you can insert the credentials somewhere along the way, so these secrets are not checked in in a version control solution.

If the response helped, do "Accept Answer". By doing so, it will benefit all community members who are having this similar issue.

Andy Doan 1 Reputation point

2022-02-15T22:22:19.793+00:00

I get your idea, but this approach doesn't satisfy security needs for many embedded products. They need an HSM to be the authentication mechanism and not have static credentials getting handed down to the device.

After some reading, I think the best solution is probably something like doing an API gateway backed by mTLS and then creating some serverless function that hands out temp tokens.

Sander van de Velde 28,386 Reputation points MVP

2022-02-15T23:32:01.34+00:00

Hello @Andy Doan ,

I understand.

By default, docker credentials are sent over to edge devices using the deployment manifest. The is done over a secure channel and is automatically handled by the runtime without disclosing them on the edge device.

How you manage/cycle keys in the cloud is up to you.

You definitely will need to write your own logic if you want to automate syncing the keys so edge devices will be able to pull new (versions of) containers when new containers are served.

Vaishnav, Nagesh K 0 Reputation points

2024-01-23T14:53:06.2066667+00:00

Does ACR Token works as a Password for Edge Devices?

Vaishnav, Nagesh K 0 Reputation points

2024-01-23T14:59:14.9233333+00:00

I am getting the below error while using the Token: Microsoft.Azure.Devices.Edge.Agent.Edgelet.EdgeletCommunicationException- Message:Error calling prepare update for module hello-world: registry operation error: pull image "<registry>.azurecr.io/hello-world:latest", StatusCode:500, at: at Microsoft.Azure.Devices.Edge.Agent.Edgelet.Version_2022_08_03.ModuleManagementHttpClient.HandleException(Exception exception, String operation) in /mnt/vss/_work/1/s/edge-agent/src/Microsoft.Azure.Devices.Edge.Agent.Edgelet/version_2022_08_03/ModuleManagementHttpClient.cs:line 232 The same token is working in my local machine using Docker commands.

Sander van de Velde 28,386 Reputation points MVP

2024-01-24T21:09:50.1866667+00:00

Hello @Vaishnav, Nagesh K

Please do not add new, other questions to other questions.

To answer your question, Container registries can secure access to their containers by an access token.

Azure IoT Edge is able to cope with these name/password combination.

Be sure the credentials are added to the deployment manifest and the docker containers names are provided correctly.

Please try out your pull requests from the prompt by hand to check if you use the correct combination and have access to the container registry.

It's not recommended to use 'latest' as tag. Azure IoT Edge will not actively test if a newer container is added, it only pulls new containers if these have the tag changed.
Sign in to comment