Configure permissions at a repository level
Allow individualized access to various repositories within a registry. Enable setting Reader, Contributor or Owner access levels at the repository level.
repo permissions have begun. We don’t yet have an ETA for preview use, but voting for this feature means you’ll get an invite once we’re ready for some customer validations.
Luc Bellego commented
We are waiting for that
Huy V. Le commented
Like mention by Doug, if it can be by path (i.e. Namespace) it will be good, as we tend to regroup all images in specific group like suggested in the best practices. https://docs.microsoft.com/en-ca/azure/container-registry/container-registry-best-practices#repository-namespaces
YuHan Lin commented
it's MUCH useful or production ready to have different level ACL in Azure Container Registry.
Julio Silveira commented
Any ETA on it. ACR is not production ready without it.
I look for this feature very excited as it prevents my company to use ACR for production
to restrict user access to specific docker repositiories / helm repos.
Would you be so kind to share ETA for delivery this feature?
Hi, any update on this feature ?
Badal Kotecha commented
something similar to AWS repository policies. In the absence of this you cannot really make ACR multi-tenant and drive enterprise level adoption. Looks like this was planned to be available during the fall of 2018. What is the current update?
We will be moving forward with repo level permissions. After further design, we realized we were uniquely focusing on token flows, where we really need to incorporate users as well. Through RBAC, a registry owner will be able to configure users and tokens to have access to collections of repos., including helm chart repos. To avoid having to create new tokens when repo access is updated, access can be updated without generating new tokens.
On the down side, due to the additional work, this does get pushed out to H1 2019.
we need this too!
if this can be controlled using the multi-level paths you already support, this would make our workflow _so_ much easier.
Doug Fish commented
... or perhaps give out permissions to a specific path like sample.azurecr.io/team-a to accomplish this.
Would be great if this can also be done at a "path" level (e.g. on all repositories starting with "TEAM-A"