Make your container registry content publicly available

Setting up an Azure container registry for anonymous (unauthenticated) pull access is an optional feature that allows any user with internet access the ability to pull any content from the registry.

Anonymous pull access is a preview feature, available in the Standard and Premium service tiers. To configure anonymous pull access, update a registry using the Azure CLI (version 2.21.0 or later). To install or upgrade, see Install Azure CLI.

About anonymous pull access

By default, access to pull or push content from an Azure container registry is only available to authenticated users. Enabling anonymous (unauthenticated) pull access makes all registry content publicly available for read (pull) actions. Anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.

  • Enable anonymous pull access by updating the properties of an existing registry.
  • After enabling anonymous pull access, you may disable that access at any time.
  • Only data-plane operations are available to unauthenticated clients.
  • The registry may throttle a high rate of unauthenticated requests.
  • If you previously authenticated to the registry, make sure you clear the credentials before attempting an anonymous pull operation.

Warning

Anonymous pull access currently applies to all repositories in the registry. If you manage repository access using repository-scoped tokens, all users may pull from those repositories in a registry enabled for anonymous pull. We recommend deleting tokens when anonymous pull access is enabled.

Configure anonymous pull access

Users can enable, disable and query the status of anonymous pull access using the Azure CLI. The following examples demonstrate how to enable, disable, and query the status of anonymous pull access.

Enable anonymous pull access

Update a registry using the az acr update command and pass the --anonymous-pull-enabled parameter. By default, anonymous pull is disabled in the registry.

az acr update --name myregistry --anonymous-pull-enabled

Important

If you previously authenticated to the registry with Docker credentials, run docker logout to ensure that you clear the existing credentials before attempting anonymous pull operations. Otherwise, you might see an error message similar to "pull access denied". Remember to always specify the fully qualified registry name (all lowercase) when using docker login and tagging images for pushing to your registry. In the examples provided, the fully qualified name is myregistry.azurecr.io.

If you've previously authenticated to the registry with Docker credentials, run the following command to clear existing credentials or any previous authentication is cleared.

   docker logout myregistry.azurecr.io

This will help you to attempt an anonymous pull operation. If you encounter any issues, you might see an error message similar to "pull access denied."

Disable anonymous pull access

Disable anonymous pull access by setting --anonymous-pull-enabled to false.

az acr update --name myregistry --anonymous-pull-enabled false

Query the status of anonymous pull access

Users can query the status of "anonymous-pull" using the az acr show command with the --query parameter. Here's an example:

az acr show -n <registry_name> --query anonymousPullEnabled

The command will return a boolean value indicating whether "Anonymous Pull" is enabled (true) or disabled (false). This will streamline the process for users to verify the status of features within ACR.

Next steps