az acr token
Manage tokens for an Azure Container Registry.
Commands
| az acr token create |
Create a token associated with a scope map for an Azure Container Registry. |
| az acr token credential |
Manage credentials of a token for an Azure Container Registry. |
| az acr token credential delete |
Delete a token credential. |
| az acr token credential generate |
Generate or replace one or both passwords of a token for an Azure Container Registry. For using token and password to access a container registry, see https://aka.ms/acr/repo-permissions. |
| az acr token delete |
Delete a token for an Azure Container Registry. |
| az acr token list |
List all tokens for an Azure Container Registry. |
| az acr token show |
Show details and attributes of a token for an Azure Container Registry. |
| az acr token update |
Update a token (replace associated scope map) for an Azure Container Registry. |
az acr token create
Create a token associated with a scope map for an Azure Container Registry.
az acr token create --name
--registry
[--expiration]
[--expiration-in-days]
[--gateway]
[--no-passwords {false, true}]
[--repository]
[--resource-group]
[--scope-map]
[--status {disabled, enabled}]Examples
Create a token with repository permissions defined in the scope map 'MyScopeMap'.
az acr token create -n MyToken -r MyRegistry --scope-map MyScopeMapCreate a token which has read permissions on hello-world repository.
az acr token create -n myToken -r MyRegistry --repository hello-world content/read metadata/readCreate a token without credentials and with all gateway permissions.
az acr token create -n myToken -r MyRegistry --repository hello-world content/read
--gateway registry config/read config/write message/read message/write --no-passwordsCreate a token in disabled status.
az acr token create -n MyToken -r MyRegistry --scope-map MyScopeMap --status disabledRequired Parameters
The name of the token.
The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.
Optional Parameters
UTC time for which the credentials will be valid. In the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2025-12-31T12:59:59Z.
Number of days for which the credentials will be valid. If not specified, the expiration will default to the max value "9999-12-31T23:59:59.999999+00:00".
Gateway permissions. Use the format "--gateway GATEWAY [ACTION1 ACTION2 ...]" per flag. Valid actions are {'config/read', 'message/read', 'config/write', 'message/write'}.
Do not generate passwords during token creation. You can generate the passwords after the token is created by using az acr token credentials generate command.
Repository permissions. Use the format "--repository REPO [ACTION1 ACTION2 ...]" per flag. Valid actions are {'content/write', 'metadata/write', 'content/read', 'content/delete', 'metadata/read'}.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the scope map with pre-configured repository permissions. Use "--repository" and/or "--gateway" if you would like CLI to configure one for you.
The status of the token.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az acr token delete
Delete a token for an Azure Container Registry.
az acr token delete --name
--registry
[--resource-group]
[--yes]Examples
Delete the token 'MyToken'.
az acr token delete -n MyToken -r MyRegistryRequired Parameters
The name of the token.
The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Do not prompt for confirmation.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az acr token list
List all tokens for an Azure Container Registry.
az acr token list --registry
[--resource-group]Examples
List tokens under the registry 'MyRegistry'.
az acr token list -r MyRegistryRequired Parameters
The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az acr token show
Show details and attributes of a token for an Azure Container Registry.
az acr token show --name
--registry
[--resource-group]Examples
Get information for the token 'MyToken'.
az acr token show -n MyToken -r MyRegistryRequired Parameters
The name of the token.
The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az acr token update
Update a token (replace associated scope map) for an Azure Container Registry.
az acr token update --name
--registry
[--resource-group]
[--scope-map]
[--status {disabled, enabled}]Examples
Update the token 'MyToken', making it associated with the scope map 'MyNewScopeMap'.
az acr token update -n MyToken -r MyRegistry --scope-map MyNewScopeMapRequired Parameters
The name of the token.
The name of the container registry. It should be specified in lower case. You can configure the default registry name using az configure --defaults acr=<registry name>.
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the scope map associated with the token. If not specified, running this command will disassociate the current scope map related to the token.
The status of the token.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Submit and view feedback for