acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

Use Entra security principals with scope maps

Open thgossler opened this issue 9 months ago • 3 comments

What is the problem you're trying to solve I want to manage user and service principals centrally in Entra with access to multiple Azure Container Registries and different scope maps in each of them. This is an enterprise scenarios where multiple ACR instances are used across different environments like dev, staging and production and also by many product groups. The employees shall be able to their company accounts to sign-in and access the various container registries.

Describe the solution you'd like Create an ACR token from an Entra user or service principal via UI or API and associate scope maps to it then as usual.

Additional context We also use multiple Entra tenants which are connected to each other via B2B user invitations and cross-tenant access possibilities. The mechanism should support local identities as well as invited B2B accounts (Guests, Members).

thgossler avatar May 03 '24 16:05 thgossler

Adding @johnsonshi. Repo based permissions would most likely be the way forward for Entra Based apps/users.

sajayantony avatar May 03 '24 20:05 sajayantony

@thgossler

Attribute-Based Access Control (ABAC) is an extension on top of RBAC role assignments that allows you to specify attribute conditions during role assignments. This allows you to grant role assignment permissions only if the attribute condition evaluates to true.

In Azure Container Registry, ABAC's extension on top of RBAC role assignments will allow you to specify a repository attribute condition to grant a role assignment's permissions to specific repositories. With ACR ABAC role assignments, you can grant Entra ID-based repository permissions to specific repositories (through an attribute condition that requires an exact repository name match) or to a list of repositories under a namespace (through an attribute condition that can match prefixes based on repository names).

ACR currently has this in the works in internal testing. We are targeting a private preview of this highly-anticipated feature sometime in mid-to-latter half of 2024.

To learn more about Attribute-based Access Control (as an extension on top of Azure RBAC) on Azure role assignments, please visit https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview

johnsonshi avatar May 04 '24 00:05 johnsonshi

Will it be possible then to use Entra service principal client app ID and secret also with the Docker tools like tokens today? I would like to use ABAC then for service principals in CI/CD or pull from within production systems scenarios and user principals in the Azure Portal for interactive dev/ops scenarios.

thgossler avatar May 04 '24 18:05 thgossler

ACR's Repository Permissions is now in Private Preview and its documentation is now available at acr/docs/preview/abac-repo-permissions/README.md at main · Azure/acr (github.com).

With this feature, when you make Entra-specific role assignments, you can scope the ACR role assignments so that the identity (in the role assignee) can only read, write, and/or delete images within specific repositories. Any Entra identities, including users, groups, managed identities, and service principals, are supported for repository permissions scoping with ACR ABAC.

This is a significant step in ACR's security and permissions model as it allows multiple teams to host images within a single ACR (and segregate permissions).

For further questions, please contact [email protected]

johnsonshi avatar Sep 05 '24 21:09 johnsonshi