Support Per-Repository Permissions in Azure Container Registry
The granularity of Azure Container Registry's permissions is currently at the Registry level. If a service principal has write access, it can write to any repository in the registry. This becomes cumbersome when more specificity is needed to limit certain users to certain repositories.
A common example is a CI/CD pipeline: If I support a dev/test Docker repository that is constantly being pushed by a build server, that service principal can write to the any repository in the registry. It is unwise to use the same Container Registry to house the output of production builds, especially if there is a hook which deploys production automatically.
The current workaround is to create a separate Container Registry for dev/test containers and production containers, but this is cumbersome and now the customer is effectively charged double for the service.
I propose that a more granular set of permissions be allowed per user or service principal, such that access can be granted or restricted on a per repository basis. Going one step further, it would also be beneficial to allow some namespacing in registry permissions (e.g. by adding
prod/ namespace permissions).