Azure Container Registry
Azure Container Registry integration allows your product to access and fetch container repository details, list container images, and view metadata (tags, digests, creation times, etc.) stored in Azure ACR. This helps in container inventory management, vulnerability scanning, and image compliance checks across cloud workloads.
Credentials Needed
To integrate with Azure Container Registry (ACR), you'll need credentials from an Azure Active Directory (AAD) App Registration.
Required credentials:
- Tenant ID (Directory ID)
- Client ID (Application ID)
- Client Secret
- Subscription ID
These credentials will be used to authenticate with Azure and access the ACR API through Azure Resource Manager.
Permissions Needed
Your AAD App needs read-only access to Azure Container Registry.
1. Role Assignment (at ACR Resource Level)
Assign one of the following roles to the app:
- AcrPull (Recommended for read-only access to repositories and images)
- Reader (If you also need metadata from the resource group or subscription level)
These roles grant permission to list repositories and fetch image details without allowing modifications.
2. API Permissions (via App Registration)
| API | Permission | Type | Purpose |
|---|---|---|---|
| Azure Service Management (Azure Resource Manager) | user_impersonation | Delegated | To query ACR resources and image metadata |
Creating Users / App Registration in Azure
Step 1: Register an Application
- Go to Azure Portal → Azure Active Directory → App registrations → New registration
- Enter a name (e.g., ACRIntegrationApp)
- Supported account type: "Accounts in this organizational directory only"
- Redirect URI: Leave blank (or specify your product callback URL if needed)
- Click Register
After registration, note:
- Application (Client) ID
- Directory (Tenant) ID
Step 2: Create a Client Secret
- Go to Certificates & Secrets → New client secret
- Add a description and choose an expiry period (1 or 2 years)
- Copy the Client Secret Value immediately — it will be shown only once.
Step 3: Assign Role to App
- Go to Azure Portal → Container Registries → [Your Registry Name] → Access Control (IAM)
- Click Add role assignment
- Select AcrPull or Reader role
- Under Members, choose User, group, or service principal, then search for and select your registered app (ACRIntegrationApp)
- Save the role assignment.
This grants your app access to read image metadata from your Azure Container Registry.
Test Connectivity
Use Azure CLI to verify that the credentials work correctly:
# Login using Service Principal
az login --service-principal \
--username <CLIENT_ID> \
--password <CLIENT_SECRET> \
--tenant <TENANT_ID>
# Set the subscription
az account set --subscription <SUBSCRIPTION_ID>
# List all Azure Container Registries
az acr list --output table
# List repositories in a registry
az acr repository list --name <ACR_NAME> --output table
# List images in a repository
az acr repository show-tags --name <ACR_NAME> --repository <REPOSITORY_NAME> --output table
If these commands execute successfully and return registry and image data, your integration credentials and permissions are correctly configured.
Save the Results in the Platform and Create Connection
In your platform's connector configuration, securely store the following:
- AZURE_TENANT_ID
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_SUBSCRIPTION_ID
- ACR_NAME (optional, if you want to restrict to a single registry)
Create a connection labeled Azure Container Registry Integration in your platform.
Test the connection by listing repositories and images.
Best Practices
- Use AcrPull role for read-only access; avoid Contributor or Owner permissions.
- Rotate the Client Secret periodically and store it in Azure Key Vault or an encrypted secret manager.
- Limit access by assigning the role at the specific registry level instead of the entire subscription.
- Prefer using Managed Identity for integrations running within Azure infrastructure.
- Regularly audit ACR role assignments to ensure least privilege access.
- If scanning multiple registries, repeat role assignments for each ACR instance.