Is there a way to limit access at the repo level within the azure container registry ?

Question

We want to setup a shared container registry which is expected to be used by multiple teams How can we limit access to specific/individual repository? My understanding, we can create Scope Maps and then create or assign tokens to allow different teams use the same container registry and having access limited to one repository only within the same azure container registry.

But as per documentation we have some limitations that says we cannot do that for service principal. Is that correct ?

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions#preview-limitations

Is there a way to limit access at the repo level within the azure container registry ?

Are there any other limitations ?

Answer 1

Hi @Raghu ,

Thanks for contacting Microsoft Q&A platform.

Tokens were introduced specifically for the purpose of repo scoped access control which other auth options don't share and at the moment. That is the only current solution that is supported for the purpose of offering repository scoped restricted access.

In your scenario the main limitation seems to be the usage of AAD identities with scope maps, currently it is limited to just token (user and pass) authentication. However, the other limitation that is mentioned in the document about the anonymous pull is not a limitation, and team will update the documentation accordingly.

Hope this helps.