az acr token

Manage tokens for an Azure Container Registry.

Commands

Name	Description	Type	Status
az acr token create	Create a token associated with a scope map for an Azure Container Registry.	Core	GA
az acr token credential	Manage credentials of a token for an Azure Container Registry.	Core	GA
az acr token credential delete	Delete a token credential.	Core	GA
az acr token credential generate	Generate or replace one or both passwords of a token for an Azure Container Registry. For using token and password to access a container registry, see https://aka.ms/acr/repo-permissions.	Core	GA
az acr token delete	Delete a token for an Azure Container Registry.	Core	GA
az acr token list	List all tokens for an Azure Container Registry.	Core	GA
az acr token show	Show details and attributes of a token for an Azure Container Registry.	Core	GA
az acr token update	Update a token (replace associated scope map) for an Azure Container Registry.	Core	GA

az acr token create

Create a token associated with a scope map for an Azure Container Registry.

az acr token create --name
                    --registry
                    [--expiration]
                    [--expiration-in-days]
                    [--gateway]
                    [--no-passwords {false, true}]
                    [--repository]
                    [--resource-group]
                    [--scope-map]
                    [--status {disabled, enabled}]

Examples

Create a token with repository permissions defined in the scope map 'MyScopeMap'.

az acr token create -n MyToken -r myregistry --scope-map MyScopeMap

Create a token which has read permissions on hello-world repository.

az acr token create -n myToken -r myregistry --repository hello-world content/read metadata/read

Create a token without credentials and with all gateway permissions.

az acr token create -n myToken -r myregistry --repository hello-world content/read
  --gateway registry config/read config/write message/read message/write --no-passwords

Create a token in disabled status.

az acr token create -n MyToken -r myregistry --scope-map MyScopeMap --status disabled

Required Parameters

--name -n

The name of the token.

--registry -r

The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.

Optional Parameters

--expiration

UTC time for which the credentials will be valid. In the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2025-12-31T12:59:59Z.

--expiration-in-days

Number of days for which the credentials will be valid. If not specified, the expiration will default to the max value "9999-12-31T23:59:59.999999+00:00".

--gateway

Gateway permissions. Use the format "--gateway GATEWAY [ACTION1 ACTION2 ...]" per flag. Valid actions are ['config/read', 'config/write', 'message/read', 'message/write'].

--no-passwords

Do not generate passwords during token creation. You can generate the passwords after the token is created by using az acr token credentials generate command.

accepted values: false, true

--repository

Repository permissions. Use the format "--repository REPO [ACTION1 ACTION2 ...]" per flag. Valid actions are ['content/delete', 'content/read', 'content/write', 'metadata/read', 'metadata/write'].

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--scope-map

The name of the scope map with pre-configured repository permissions. Use "--repository" and/or "--gateway" if you would like CLI to configure one for you.

--status

The status of the token.

accepted values: disabled, enabled

default value: enabled

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az acr token delete

Delete a token for an Azure Container Registry.

az acr token delete --name
                    --registry
                    [--resource-group]
                    [--yes]

Examples

Delete the token 'MyToken'.

az acr token delete -n MyToken -r myregistry

Required Parameters

--name -n

The name of the token.

--registry -r

The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--yes -y

Do not prompt for confirmation.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az acr token list

List all tokens for an Azure Container Registry.

az acr token list --registry
                  [--resource-group]

Examples

List tokens under the registry 'myregistry'.

az acr token list -r myregistry

Required Parameters

--registry -r

The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az acr token show

Show details and attributes of a token for an Azure Container Registry.

az acr token show --name
                  --registry
                  [--resource-group]

Examples

Get information for the token 'MyToken'.

az acr token show -n MyToken -r myregistry

Required Parameters

--name -n

The name of the token.

--registry -r

The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az acr token update

Update a token (replace associated scope map) for an Azure Container Registry.

az acr token update --name
                    --registry
                    [--resource-group]
                    [--scope-map]
                    [--status {disabled, enabled}]

Examples

Update the token 'MyToken', making it associated with the scope map 'MyNewScopeMap'.

az acr token update -n MyToken -r myregistry --scope-map MyNewScopeMap

Required Parameters

--name -n

The name of the token.

--registry -r

The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--scope-map

The name of the scope map associated with the token. If not specified, running this command will disassociate the current scope map related to the token.

--status

The status of the token.

accepted values: disabled, enabled

default value: enabled

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc

default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.