Azure Container Registry 角色和權限Azure Container Registry roles and permissions

Azure Container Registry 服務可支援一組 Azure 角色,對於 Azure Container Registry 提供不同程度的權限。The Azure Container Registry service supports a set of Azure roles that provide different levels of permissions to an Azure container registry. Azure角色型存取控制 (RBAC) 可用來將特定權限指派給必須與登錄互動的使用者或服務主體。Use Azure role-based access control (RBAC) to assign specific permissions to users or service principals that need to interact with a registry.

角色/權限Role/Permission 存取 Resource ManagerAccess Resource Manager 建立/刪除登錄Create/delete registry 推送映像Push image 提取映像Pull image 刪除映像資料Delete image data 變更原則Change policies 簽署映像Sign images
擁有者Owner XX XX XX XX XX XX
參與者Contributor XX XX XX XX XX XX
讀取者Reader XX
AcrPushAcrPush XX XX
AcrPullAcrPull XX
AcrDeleteAcrDelete XX
AcrImageSignerAcrImageSigner XX

區分使用者和服務Differentiate users and services

套用權限時,最佳的做法是提供人員或服務完成工作的最低權限。Any time permissions are applied, a best practice is to provide the most limited set of permissions for a person, or service, to accomplish a task. 下列權限集合代表人員或無周邊服務可使用的一組功能。The following permission sets represent a set of capabilities that may be used by humans and headless services.

CI/CD 解決方案CI/CD solutions

自動執行 CI/CD 解決方案的 docker build 命令時,您需要 docker push 功能。When automating docker build commands from CI/CD solutions, you need docker push capabilities. 對於這些無周邊服務案例,建議指派 AcrPush 角色。For these headless service scenarios, we suggest assigning the AcrPush role. 此角色不同於更廣泛參與者角色,可防止帳戶執行其他登錄作業或存取 Azure Resource Manager。This role, unlike the broader Contributor role, prevents the account from performing other registry operations or accessing Azure Resource Manager.

容器主機節點Container host nodes

同樣地,執行容器的節點需要 AcrPull 角色,但是應該不需要讀者功能。Likewise, nodes running your containers need the AcrPull role, but shouldn't require Reader capabilities.

Visual Studio Code Docker 擴充功能Visual Studio Code Docker extension

對於 Visual Studio Code Docker 擴充功能組之類的工具,需要額外的資源提供者存取權,才能列出可用的 Azure 容器登錄。For tools like the Visual Studio Code Docker extension, additional resource provider access is required to list the available Azure container registries. 在此情況下,請對於使用者提供讀者參與者角色的存取權。In this case, provide your users access to the Reader or Contributor role. 這些角色允許 docker pulldocker pushaz acr listaz acr build 和其他功能。These roles allow docker pull, docker push, az acr list, az acr build, and other capabilities.

存取 Resource ManagerAccess Resource Manager

必須具備 Azure Resource Manager 存取權,才能使用 Azure CLI 來進行 Azure 入口網站和登錄管理。Azure Resource Manager access is required for the Azure portal and registry management with the Azure CLI. 例如,若要使用 az acr list 命令取得登錄的清單,您需要此權限集合。For example, to get a list of registries by using the az acr list command, you need this permission set.

建立和刪除登錄Create and delete registry

建立和刪除 Azure 容器登錄的能力。The ability to create and delete Azure container registries.

推送映像Push image

透過 docker push 推送映像或將另一個支援的成品 (例如 Helm 圖表) 推送到登錄的能力。The ability to docker push an image, or push another supported artifact such as a Helm chart, to a registry. 需要使用授權的身分識別對於登錄進行驗證Requires authentication with the registry using the authorized identity.

提取映像Pull image

透過 docker pull 提取非隔離映像或從登錄提取另一個支援的成品 (例如 Helm 圖表) 的能力。The ability to docker pull a non-quarantined image, or pull another supported artifact such as a Helm chart, from a registry. 需要使用授權的身分識別對於登錄進行驗證Requires authentication with the registry using the authorized identity.

刪除映像資料Delete image data

能夠刪除容器映像,或刪除其他支援成品例如 Helm 圖表,從登錄。The ability to delete container images, or delete other supported artifacts such as Helm charts, from a registry.

變更原則Change policies

對於登錄設定原則的能力。The ability to configure policies on a registry. 原則包括映像清除、啟用隔離和映像簽署。Policies include image purging, enabling quarantine, and image signing.

簽署映像Sign images

簽署映像 (通常指派給自動化程序,以便使用服務主體) 的能力。The ability to sign images, usually assigned to an automated process, which would use a service principal. 此權限通常會結合推送映像,以便將受信任的映像推送至登錄。This permission is typically combined with push image to allow pushing a trusted image to a registry. 如需詳細資訊,請參閱Azure Container Registry 中的內容信任For details, see Content trust in Azure Container Registry.

後續步驟Next steps