Azure Container Registry
The Azure Container Registry (ACR) generator creates a short-lived refresh or access token for accessing ACR.
The token is generated for a particular ACR registry defined in
Output Keys and Values
|username||username for the
|password||password for the
You must choose one out of three authentication mechanisms:
- service principal
- managed identity
- workload identity
The generated token will inherit the permissions from the assigned policy. I.e. when you assign a read-only policy all generated tokens will be read-only.
You can scope tokens to a particular repository using
First, an Azure Active Directory access token is obtained with the desired authentication method.
This AAD access token will be used to authenticate against ACR to issue a refresh token or access token.
spec.scope if it is defined it obtains an ACR access token. If
spec.scope is missing it obtains an ACR refresh token:
- access tokens are scoped to a specific repository or action (pull,push)
- refresh tokens can are scoped to whatever policy is attached to the identity that creates the acr refresh token
The Scope grammar is defined in the Docker Registry spec.
Note: You can not use a wildcards in the scope parameter, you can match exactly one repository and defined multiple actions like
apiVersion: generators.external-secrets.io/v1alpha1 kind: ACRAccessToken spec: tenantId: 11111111-2222-3333-4444-111111111111 registry: example.azurecr.io # optional; scope token down to a single repository/action # if set, it will generate an access token instead of an refresh token. scope: "repository:foo:pull,push" # Specify Azure cloud type, defaults to PublicCloud. # This is used for authenticating with Azure Active Directory. # available options: PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud environmentType: "PublicCloud" # choose one authentication method auth: # option 1: point to a secret that contains a client-id and client-secret servicePrincipal: secretRef: clientSecret: name: az-secret key: clientsecret clientId: name: az-secret key: clientid # option 2: managedIdentity: identityId: "xxxxx" # option 3: workloadIdentity: # note: you can reference service accounts across namespaces. serviceAccountRef: name: "my-service-account" audiences: