Azure Container Registry roles and permissions
The Azure Container Registry service supports a set of Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (RBAC) to assign specific permissions to users or service principals that need to interact with a registry.
|Role/Permission||Access Resource Manager||Create/delete registry||Push image||Pull image||Delete image data||Change policies||Sign images|
Differentiate users and services
Any time permissions are applied, a best practice is to provide the most limited set of permissions for a person, or service, to accomplish a task. The following permission sets represent a set of capabilities that may be used by humans and headless services.
docker build commands from CI/CD solutions, you need
docker push capabilities. For these headless service scenarios, we suggest assigning the AcrPush role. This role, unlike the broader Contributor role, prevents the account from performing other registry operations or accessing Azure Resource Manager.
Container host nodes
Likewise, nodes running your containers need the AcrPull role, but shouldn't require Reader capabilities.
Visual Studio Code Docker extension
For tools like the Visual Studio Code Docker extension, additional resource provider access is required to list the available Azure container registries. In this case, provide your users access to the Reader or Contributor role. These roles allow
az acr list,
az acr build, and other capabilities.
Access Resource Manager
Azure Resource Manager access is required for the Azure portal and registry management with the Azure CLI. For example, to get a list of registries by using the
az acr list command, you need this permission set.
Create and delete registry
The ability to create and delete Azure container registries.
Delete image data
The ability to configure policies on a registry. Policies include image purging, enabling quarantine, and image signing.
The ability to sign images, usually assigned to an automated process, which would use a service principal. This permission is typically combined with push image to allow pushing a trusted image to a registry. For details, see Content trust in Azure Container Registry.