使用來自 Azure 容器執行個體的 Azure Container Registry 進行驗證Authenticate with Azure Container Registry from Azure Container Instances

您可以使用 Azure Active Directory (Azure AD) 服務主體,來提供 Azure Container Registry 中私人容器登錄的存取權。You can use an Azure Active Directory (Azure AD) service principal to provide access to your private container registries in Azure Container Registry.

在本文中,您將了解如何建立及設定 Azure AD 服務主體,並使其具備您登錄的「提取」 權限。In this article, you learn to create and configure an Azure AD service principal with pull permissions to your registry. 然後,您會使用服務主體進行驗證,來啟動 Azure 容器執行個體 (ACI) 中的容器,以從您的私人登錄中提取其映像。Then, you start a container in Azure Container Instances (ACI) that pulls its image from your private registry, using the service principal for authentication.

何時使用服務主體When to use a service principal

您應該在無周邊案例中從 ACI 使用服務主體進行驗證,例如,在以自動化或其他自動方式建立容器執行個體的應用程式或服務中。You should use a service principal for authentication from ACI in headless scenarios, such as in applications or services that create container instances in an automated or otherwise unattended manner.

例如,如果您有每晚都會執行的自動化指令碼,並建立一個以工作為基礎的容器執行個體來處理某些資料,它可以使用具有僅提取權限的服務主體來向登錄進行驗證。For example, if you have an automated script that runs nightly and creates a task-based container instance to process some data, it can use a service principal with pull-only permissions to authenticate to the registry. 您接著可以替換服務主體的認證,或完全撤銷其存取權,而不會影響其他服務和應用程式。You can then rotate the service principal's credentials or revoke its access completely without affecting other services and applications.

停用登錄管理使用者時,也應使用服務主體。Service principals should also be used when the registry admin user is disabled.

建立服務主體Create a service principal

若要建立具容器登錄存取權的服務主體,請在 Azure Cloud Shell 或本機的 Azure CLI 安裝中執行下列指令碼。To create a service principal with access to your container registry, run the following script in the Azure Cloud Shell or a local installation of the Azure CLI. 此指令碼會針對 Bash 殼層加以格式化。The script is formatted for the Bash shell.

執行指令碼之前,請使用容器登錄的名稱更新 ACR_NAME 變數。Before running the script, update the ACR_NAME variable with the name of your container registry. SERVICE_PRINCIPAL_NAME 值在 Azure Active Directory 租用戶內必須是唯一的。The SERVICE_PRINCIPAL_NAME value must be unique within your Azure Active Directory tenant. 如果您收到「'http://acr-service-principal' already exists.」錯誤,請為服務主體指定不同的名稱。If you receive an "'http://acr-service-principal' already exists." error, specify a different name for the service principal.

(選擇性) 如果您要授與不同權限,則可以修改 az ad sp create-for-rbac 命令中的 --role 值。You can optionally modify the --role value in the az ad sp create-for-rbac command if you want to grant different permissions. 如需角色的完整清單,請參閱 ACR 角色和權限 (英文)。For a complete list of roles, see ACR roles and permissions.

執行指令碼之後,請記下的服務主體的識別碼密碼After you run the script, take note of the service principal's ID and password. 一旦擁有其認證,便可以將您的應用程式和服務設定為以服務主體向您的容器登錄進行驗證。Once you have its credentials, you can configure your applications and services to authenticate to your container registry as the service principal.

#!/bin/bash

# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal

# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)

# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"

使用現有的服務主體Use an existing service principal

若要授與現有服務主體登錄存取權,您必須為服務主體指派新的角色。To grant registry access to an existing service principal, you must assign a new role to the service principal. 如同建立新的服務主體一樣,您可以授與提取、推送和提取,以及擁有者存取權等權限。As with creating a new service principal, you can grant pull, push and pull, and owner access, among others.

以下指令碼使用 az role assignment create 命令,以授與您在 SERVICE_PRINCIPAL_ID 變數中所指定的服務主體「提取」 權限。The following script uses the az role assignment create command to grant pull permissions to a service principal you specify in the SERVICE_PRINCIPAL_ID variable. 如果您要授與不同層級的存取權,請調整 --role 值。Adjust the --role value if you'd like to grant a different level of access.

#!/bin/bash

# Modify for your environment. The ACR_NAME is the name of your Azure Container
# Registry, and the SERVICE_PRINCIPAL_ID is the service principal's 'appId' or
# one of its 'servicePrincipalNames' values.
ACR_NAME=mycontainerregistry
SERVICE_PRINCIPAL_ID=<service-principal-ID>

# Populate value required for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Assign the desired role to the service principal. Modify the '--role' argument
# value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --scope $ACR_REGISTRY_ID --role acrpull

使用服務主體進行驗證Authenticate using the service principal

若要在 Azure 容器執行個體中使用服務主體來啟動容器,請針對 --registry-username 指定它的識別碼,並針對 --registry-password 指定它的密碼。To launch a container in Azure Container Instances using a service principal, specify its ID for --registry-username, and its password for --registry-password.

az container create \
    --resource-group myResourceGroup \
    --name mycontainer \
    --image mycontainerregistry.azurecr.io/myimage:v1 \
    --registry-login-server mycontainerregistry.azurecr.io \
    --registry-username <service-principal-ID> \
    --registry-password <service-principal-password>

範例指令碼Sample scripts

您可以找到前述適用於 GitHub 上的 Azure CLI 的範例指令碼,以及適用於 Azure PowerShell 的版本:You can find the preceding sample scripts for Azure CLI on GitHub, as well versions for Azure PowerShell:

後續步驟Next steps

下列文章包含運用服務主體與 ACR 的其他詳細資料:The following articles contain additional details on working with service principals and ACR: