Skip to content

Azure Container Registry

The Azure Container Registry (ACR) generator creates a short-lived refresh or access token for accessing ACR. The token is generated for a particular ACR registry defined in spec.registry.

Output Keys and Values

Key Description
username username for the docker login command
password password for the docker login command


You must choose one out of three authentication mechanisms:

  • service principal
  • managed identity
  • workload identity

The generated token will inherit the permissions from the assigned policy. I.e. when you assign a read-only policy all generated tokens will be read-only.

You can scope tokens to a particular repository using spec.scope.


First, an Azure Active Directory access token is obtained with the desired authentication method. This AAD access token will be used to authenticate against ACR to issue a refresh token or access token. If spec.scope if it is defined it obtains an ACR access token. If spec.scope is missing it obtains an ACR refresh token:

  • access tokens are scoped to a specific repository or action (pull,push)
  • refresh tokens can are scoped to whatever policy is attached to the identity that creates the acr refresh token

The Scope grammar is defined in the Docker Registry spec. Note: You can not use a wildcards in the scope parameter, you can match exactly one repository and defined multiple actions like pull or push.

Example scopes:


Example Manifest

kind: ACRAccessToken
  tenantId: 11111111-2222-3333-4444-111111111111

  # optional; scope token down to a single repository/action
  # if set, it will generate an access token instead of an refresh token.
  scope: "repository:foo:pull,push"

  # Specify Azure cloud type, defaults to PublicCloud.
  # This is used for authenticating with Azure Active Directory.
  # available options: PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  environmentType: "PublicCloud"

  # choose one authentication method

    # option 1: point to a secret that contains a client-id and client-secret
          name: az-secret
          key: clientsecret
          name: az-secret
          key: clientid

    # option 2:
      identityId: "xxxxx"

    # option 3:
      # note: you can reference service accounts across namespaces.
        name: "my-service-account"
        audiences: []