向私用 Docker 容器登錄進行驗證Authenticate with a private Docker container registry

向 Azure Container Registry 進行驗證的方式有數種,每一種方式都適用於一或多個登錄使用案例。There are several ways to authenticate with an Azure container registry, each of which is applicable to one or more registry usage scenarios.

您可以直接透過個人登入來登入登錄,或您的應用程式和容器協調器可以使用 Azure Active Directory (Azure AD) 服務主體來執行自動 (或「遠端控制」) 驗證。You can log in to a registry directly via individual login, or your applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal.

使用 Azure AD 進行個人登入Individual login with Azure AD

直接與您的登錄搭配運作時 (例如將映像拖曳至開發工作站或從開發工作站推送映像),請在 Azure CLI 中使用 az acr login 命令來進行驗證:When working with your registry directly, such as pulling images to and pushing images from a development workstation, authenticate by using the az acr login command in the Azure CLI:

az acr login --name <acrName>

當您使用 az acr login 來進行登入時,CLI 會使用您執行 az login 時所建立的權杖,以順暢地向登錄驗證您的工作階段。When you log in with az acr login, the CLI uses the token created when you executed az login to seamlessly authenticate your session with your registry. 在您以此方式登入之後,系統會快取您的認證,而您工作階段中的後續 docker 命令不會要求提供使用者名稱或密碼。Once you've logged in this way, your credentials are cached, and subsequent docker commands in your session do not require a username or password.

為了進行登錄存取,az acr login 所用的驗證權杖有效期為 1 小時,所以我們建議您在執行 docker 命令前,一律先登入登錄。For registry access, the token used by az acr login is valid for 1 hour, so we recommend that you always log in to the registry before running a docker command. 如果您的權杖過期,您可以再次使用 az acr login 命令進行重新驗證來重新整理該權杖。If your token expires, you can refresh it by using the az acr login command again to reauthenticate.

使用 az acr login 搭配 Azure 身分識別可提供角色型存取功能。Using az acr login with Azure identities provides role-based access. 在某些情況下,您可能會想在 Azure AD 中,使用自己的個別身分識別登入登錄庫。For some scenarios you may want to log in to a registry with your own individual identity in Azure AD. 針對跨服務案例,或針對您不想管理個別存取權的工作群組處理其需求時,也可以使用 Azure 資源的受控識別登入。For cross-service scenarios or to handle the needs of a workgroup where you don't want to manage individual access, you can also log in with a managed identity for Azure resources.

服務主體Service principal

如果您將服務主體指派給登錄,應用程式或服務便可以使用它來進行遠端控制驗證。If you assign a service principal to your registry, your application or service can use it for headless authentication. 服務主體可允許對登錄進行角色型存取,而您可以將多個服務主體指派給登錄。Service principals allow role-based access to a registry, and you can assign multiple service principals to a registry. 多個服務主體可讓您為不同的應用程式定義不同的存取權。Multiple service principals allow you to define different access for different applications.

容器登錄的可用角色包括:The available roles for a container registry include:

  • AcrPull:提取AcrPull: pull

  • AcrPush:提取和推送AcrPush: pull and push

  • 擁有者:提取、推送,以及指派角色給其他使用者Owner: pull, push, and assign roles to other users

如需角色的完整清單,請參閱 Azure Container Registry 角色和權限For a complete list of roles, see Azure Container Registry roles and permissions.

若要讓 CLI 指令碼建立服務主體應用程式識別碼和密碼以便向 Azure Container Registry 驗證,或要讓其使用現有的服務主體,請參閱使用服務主體進行 Azure Container Registry 驗證For CLI scripts to create a service principal app ID and password for authenticating with an Azure container registry, or to use an existing service principal, see Azure Container Registry authentication with service principals.

服務主體可在如下的提取及推送案例中,對登錄啟用遠端控制連線:Service principals enable headless connectivity to a registry in both pull and push scenarios like the following:

  • 提取:將容器從登錄部署到協調流程系統,包括 Kubernetes、DC/OS 及 Docker Swarm。Pull: Deploy containers from a registry to orchestration systems including Kubernetes, DC/OS, and Docker Swarm. 您也可以從容器登錄提取到相關的 Azure 服務,例如 Azure Kubernetes ServiceAzure Container InstancesApp ServiceBatchService Fabric 等。You can also pull from container registries to related Azure services such as Azure Kubernetes Service, Azure Container Instances, App Service, Batch, Service Fabric, and others.

  • 推送:建置容器映像,並使用 Azure Pipelines 或 Jenkins 等持續整合和部署解決方案將其推送到登錄。Push: Build container images and push them to a registry using continuous integration and deployment solutions like Azure Pipelines or Jenkins.

您也可以使用服務主體來直接登入。You can also log in directly with a service principal. 當您執行下列命令時,若出現提示,請以互動方式提供服務主體 appID (使用者名稱) 和密碼。When you run the following command, interactively provide the service principal appID (username) and password when prompted. 如需管理登入認證的最佳作法,請參閱 docker login 命令參考:For best practices to manage login credentials, see the docker login command reference:

docker login myregistry.azurecr.io

登入後,Docker 會快取認證,因此您不需要記憶應用程式識別碼。Once logged in, Docker caches the credentials, so you don't need to remember the app ID.

提示

您可以執行 az ad sp reset-credentials 命令來重新產生服務主體的密碼。You can regenerate the password of a service principal by running the az ad sp reset-credentials command.

管理帳戶Admin account

每個容器登錄都包含一個管理使用者帳戶,且預設為停用。Each container registry includes an admin user account, which is disabled by default. 您可以在 Azure 入口網站中或藉由使用 Azure CLI 或其他 Azure 工具,啟用此管理使用者並管理其認證。You can enable the admin user and manage its credentials in the Azure portal, or by using the Azure CLI or other Azure tools.

重要

管理帳戶是專為讓單一使用者存取登錄而設計,主要用於測試。The admin account is designed for a single user to access the registry, mainly for testing purposes. 不建議將管理帳戶認證與其他使用者共用。We do not recommend sharing the admin account credentials with multiple users. 所有使用管理帳戶進行驗證的使用者會顯示為單一使用者,此使用者具備登錄的推送和提取存取權。All users authenticating with the admin account appear as a single user with push and pull access to the registry. 變更或停用此帳戶時,會將所有使用其認證之使用者的登錄存取權都停用。Changing or disabling this account disables registry access for all users who use its credentials. 針對遠端控制案例的使用者和服務主體,建議使用個人身分識別。Individual identity is recommended for users and service principals for headless scenarios.

管理帳戶隨附兩個密碼,兩個密碼都可以重新產生。The admin account is provided with two passwords, both of which can be regenerated. 兩個密碼可讓您在重新產生其中一個密碼時,使用另一個密碼來維持與登錄的連線。Two passwords allow you to maintain connection to the registry by using one password while you regenerate the other. 如果已啟用管理帳戶,即可在系統提示時將使用者名稱和其中一個密碼傳遞給 docker login 命令,向登錄進行基本驗證。If the admin account is enabled, you can pass the username and either password to the docker login command when prompted for basic authentication to the registry. 例如︰For example:

docker login myregistry.azurecr.io 

若要為現有的登錄啟用管理使用者,您可以在 Azure CLI 中使用 az acr update 命令的 --admin-enabled 參數:To enable the admin user for an existing registry, you can use the --admin-enabled parameter of the az acr update command in the Azure CLI:

az acr update -n <acrName> --admin-enabled true

您可以在 Azure 入口網站中啟用管理使用者,方法是瀏覽至您的登錄,選取 [設定]底下的 [存取金鑰],然後選取 [管理使用者]底下的 [啟用]。You can enable the admin user in the Azure portal by navigating your registry, selecting Access keys under SETTINGS, then Enable under Admin user.

Azure 入口網站中的啟用管理使用者 UI

後續步驟Next steps