Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
To access and manage a connected registry, currently only ACR token-based authentication is supported. As shown in the following image, two different types of tokens are used by each connected registry:
Important
Store token passwords for each connected registry in a safe location. After they are created, token passwords can't be retrieved. You can regenerate token passwords at any time.
To manage client access to a connected registry, you create tokens scoped for actions on one or more repositories. After creating a token, configure the connected registry to accept the token by using the az acr connected-registry update command. A client can then use the token credentials to access a connected registry endpoint - for example, to use Docker CLI commands to pull or push images to the connected registry.
Your options for configuring client token actions depend on whether the connected registry allows both push and pull operations or functions as a pull-only mirror.
Update client tokens, passwords, or scope maps as needed by using az acr token and az acr scope-map commands. Client token updates are propagated automatically to the connected registries that accept the token.
Each connected registry uses a sync token to authenticate with its immediate parent - which could be another connected registry or the cloud registry. The connected registry automatically uses this token when synchronizing content with the parent or performing other updates.
Update sync tokens, passwords, or scope maps as needed by using az acr token and az acr scope-map commands. Sync token updates are propagated automatically to the connected registry. Follow the standard practices of rotating passwords when updating the sync token.
Note
The sync token cannot be deleted until the connected registry associated with the token is deleted. You can disable a connected registry by setting the status of the sync token to disabled
.
Token credentials for connected registries are scoped to access specific registry endpoints:
A client token accesses the connected registry's endpoint. The connected registry endpoint is the login server URI, which is typically the IP address of the server or device that hosts it.
A sync token accesses the endpoint of the parent registry, which is either another connected registry endpoint or the cloud registry itself. When scoped to access the cloud registry, the sync token needs to reach two registry endpoints:
contoso.azurecr.io
. This endpoint is used for authentication.contoso.westus2.data.azurecr.io
. This endpoint is used to exchange messages with the connected registry for synchronization purposes.Continue to the following article to learn about specific scenarios where connected registry can be utilized.
Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Configure Azure Container Registry for container app deployments - Training
Learn how to create and configure an Azure Container Registry, the process of pushing container images to Azure Container Registry and explore different authentication methods and security features for Azure Container Registry.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
Connected Registry in Azure Container Registry - Azure Container Registry
Discover the connected registry feature in Azure Container Registry. Learn about its benefits and practical use cases for container management.
Pull Images from a Connected Registry with Azure IoT Edge - Azure Container Registry
Learn how to use Azure Container Registry CLI commands to configure a client token and pull images from a connected registry on an IoT Edge device.
Quickstart - Create Connected Registry Using the CLI - Azure Container Registry
Use Azure CLI commands to create a connected Azure container registry resource that can synchronize images and other artifacts with the cloud registry.