| title | description | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|
Enable anonymous pull access |
Optionally enable anonymous pull access to make content in your Azure container registry publicly available |
how-to |
09/17/2021 |
Setting up an Azure container registry for anonymous (unauthenticated) pull access is an optional feature that allows any user with internet access the ability to pull any content from the registry.
Anonymous pull access is a preview feature, available in the Standard and Premium service tiers. To configure anonymous pull access, update a registry using the Azure CLI (version 2.21.0 or later). To install or upgrade, see Install Azure CLI.
By default, access to pull or push content from an Azure container registry is only available to authenticated users. Enabling anonymous (unauthenticated) pull access makes all registry content publicly available for read (pull) actions. Anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.
- Enable anonymous pull access by updating the properties of an existing registry.
- After enabling anonymous pull access, you may disable that access at any time.
- Only data-plane operations are available to unauthenticated clients.
- The registry may throttle a high rate of unauthenticated requests.
- If you previously authenticated to the registry, make sure you clear the credentials before attempting an anonymous pull operation.
Warning
Anonymous pull access currently applies to all repositories in the registry. If you manage repository access using repository-scoped tokens, all users may pull from those repositories in a registry enabled for anonymous pull. We recommend deleting tokens when anonymous pull access is enabled.
Update a registry using the az acr update command and pass the --anonymous-pull-enabled parameter. By default, anonymous pull is disabled in the registry.
az acr update --name myregistry --anonymous-pull-enabled
Important
If you previously authenticated to the registry with Docker credentials, run docker logout to ensure that you clear the existing credentials before attempting anonymous pull operations. Otherwise, you might see an error message similar to "pull access denied".
Disable anonymous pull access by setting --anonymous-pull-enabled to false.
az acr update --name myregistry --anonymous-pull-enabled false
- Learn about using repository-scoped tokens.
- Learn about options to authenticate to an Azure container registry.