| title | description | ms.topic | ms.date |
|---|---|---|---|
Access from Container Instances |
Learn how to provide access to images in your private container registry from Azure Container Instances by using an Azure Active Directory service principal. |
article |
04/23/2018 |
You can use an Azure Active Directory (Azure AD) service principal to provide access to your private container registries in Azure Container Registry.
In this article, you learn to create and configure an Azure AD service principal with pull permissions to your registry. Then, you start a container in Azure Container Instances (ACI) that pulls its image from your private registry, using the service principal for authentication.
You should use a service principal for authentication from ACI in headless scenarios, such as in applications or services that create container instances in an automated or otherwise unattended manner.
For example, if you have an automated script that runs nightly and creates a task-based container instance to process some data, it can use a service principal with pull-only permissions to authenticate to the registry. You can then rotate the service principal's credentials or revoke its access completely without affecting other services and applications.
Service principals should also be used when the registry admin user is disabled.
[!INCLUDE container-registry-service-principal]
To launch a container in Azure Container Instances using a service principal, specify its ID for --registry-username, and its password for --registry-password.
az container create \
--resource-group myResourceGroup \
--name mycontainer \
--image mycontainerregistry.azurecr.io/myimage:v1 \
--registry-login-server mycontainerregistry.azurecr.io \
--registry-username <service-principal-ID> \
--registry-password <service-principal-password>
You can find the preceding sample scripts for Azure CLI on GitHub, as well versions for Azure PowerShell:
The following articles contain additional details on working with service principals and ACR: