Azure – Content Trust in ACR and Roles

Security and Authentication method – Content Trust

You need a container registry to start with


Content trust in Azure Container Registry

“Azure Container Registry implements Docker’s content trust model, enabling pushing and pulling of signed images.”
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust

Signing Role

ACRImageSigner     ( role is used for signing permissions)

AcrPush     ( role is used for ACR push)

For a list if built in roles and descriptions see here

Container registry roles see here


Azure CLI command to assign the ACRImageSigner role

az role assignment create –scope <registry ID> –role AcrImageSigner –assignee <user name>

ACR Tasks

Automate Container Image builds and ACR tasks info. An example use, for automating the build cycle. How “By executing az login with a service principal, your CI/CD solution could then issue az acr build commands to kick off image builds.”

Manage Resource Groups CLI

Azure CLI manage resource groups available here

Azure – Create Kubernetes Cluster with ACR Integration

How to create a Kubernetes Cluster with ACR Integration and Service Principal Authentication.

Create Kubernetes Cluster, Select the Kubernetes Services Blade> Cloud Shell

You will be prompted for storage if not already configured

Type “az” to use Azure CLI

Run script from Microsoft docs here

Create a new AKS cluster with ACR integration. If you haven’t got a service principal created, skip to the next section before creating the AKS cluster

# set this to the name of your Azure Container Registry. It must be globally unique

$MYACR=myContainerRegistry

# Run the following line to create an Azure Container Registry if you do not already have one

az acr create -n
$MYACR -g myContainerRegistryResourceGroup –sku basic

# Create an AKS cluster with ACR integration

az aks create -n myAKSCluster -g myResourceGroup –generate-ssh-keys –attach-acr
$MYACR

To configure Registry authentication service principals – MS doc guide to create Service Principal, (script is formatted for the Bash shell)

Create a service Principal

#!/bin/bash
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=<container-registry-name>
SERVICE_PRINCIPAL_NAME=acr-service-principal
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name
				$ACR_NAME --query id --output tsv)
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az
				ad
				sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az
				ad
				sp
				show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"

The author does not verify any of the scripts are test and everything should be done in Dev only.