How can we improve the Azure Container Registry?

Configure permissions at a repository level

Allow individualized access to various repositories within a registry. Enable setting Reader, Contributor or Owner access levels at the repository level.

81 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Andres Petralli shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

11 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Slawomir commented  ·   ·  Flag as inappropriate

    I look for this feature very excited as it prevents my company to use ACR for production
    to restrict user access to specific docker repositiories / helm repos.

    Would you be so kind to share ETA for delivery this feature?

  • Badal Kotecha commented  ·   ·  Flag as inappropriate

    something similar to AWS repository policies. In the absence of this you cannot really make ACR multi-tenant and drive enterprise level adoption. Looks like this was planned to be available during the fall of 2018. What is the current update?

  • AdminAzure Container Registry Team (Admin, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    We will be moving forward with repo level permissions. After further design, we realized we were uniquely focusing on token flows, where we really need to incorporate users as well. Through RBAC, a registry owner will be able to configure users and tokens to have access to collections of repos., including helm chart repos. To avoid having to create new tokens when repo access is updated, access can be updated without generating new tokens.
    On the down side, due to the additional work, this does get pushed out to H1 2019.

  • george commented  ·   ·  Flag as inappropriate

    we need this too!

    if this can be controlled using the multi-level paths you already support, this would make our workflow _so_ much easier.

  • Doug Fish commented  ·   ·  Flag as inappropriate

    ... or perhaps give out permissions to a specific path like sample.azurecr.io/team-a to accomplish this.

  • Ori commented  ·   ·  Flag as inappropriate

    Would be great if this can also be done at a "path" level (e.g. on all repositories starting with "TEAM-A"

Feedback and Knowledge Base