Azure Container Registry

Azure Container Registry is a managed, private Docker registry service that allows you to build, store, and manage container images and artifacts.

Tags:

4 minute read

Before pushing and pulling container images, you need to sign into the container registry.

Requirements

Install AZ CLI on Windows (Server or Desktop)
Install Microsoft Edge browser on Windows Server
Install Docker CE runtime on Windows Server
The login server name for the target container registry

Now you need to sign into Azure, so open Terminal and sign into Azure

az login

You need to make sure you are working in the correct Azure subscription.

az account show
az account set --subscription [subscription_name]

(optional) Retrieve the login server name of your ACR or copy it direct from the Azure portal.

az acr list --resource-group [YourResourceGroupName] --query "[].{acrLoginServer:loginServer}" --output table

Using the ACR login server you can log into the container registry.

az acr login --name [acr_login_server]

By following these steps, you should be able to log into your ACR using Docker without having to input your credentials manually. The access token is used in place of your password. To use the access token method for logging into Azure Container Registry (ACR) with Docker, follow these steps in your PowerShell session:

Get the Access Token Use the Azure CLI to get an access token for your ACR. Replace <acrName> with the name of your ACR. This command logs you into the ACR and exposes an access token, then converts the JSON output into a PowerShell object.

$loginResult = az acr login --name <acrName> --expose-token --output json | ConvertFrom-Json

Capture the Access Token as a Variable Extract the access token from the previous command’s output and store it in a variable.

$accessToken = $loginResult.accessToken

Login to Docker with the Access Token Use the access token to log in to Docker. The username is a fixed value (00000000-0000-0000-0000-000000000000) when using an access token.

docker login <acrName>.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password $accessToken

Push a Docker image to the ACR

The following steps walk through pushing a Docker container from your workstation to an already existing ACR that you have access to.

Before you can push an image to your registry, you must tag it with the fully qualified name of your registry login server. The sign in server name is in the format .azurecr.io (must be all lowercase), for example, newregistryapl.azurecr.io.

Tag the image using the docker tag command. Replace with the login server name of your ACR instance.

docker tag [YourLocalImageName]:[YourLocalImageVersion] [YourACRLoginServer]/[YourImageName]:[YourImageVersion]

For example:

docker tag myapp:v1 myregistry.azurecr.io/myapp:v1

Use docker push to push the image to the registry instance. Replace with the sign-in server name of your registry instance.

push [YourACRLoginServer]/[YourImageName]:[YourImageVersion]

For example:

docker push myregistry.azurecr.io/myapp:v1

Tag a Docker Image

These command works for Windows and Linux. You should add SUDO before each command if using Linux.

Tag your local Docker image with the repository name where you want to push it. The general format for tagging an image is:

docker tag [SOURCE_IMAGE] [TARGET_REPOSITORY]:[TAG]

[SOURCE_IMAGE]: This is the name of the image you want to tag, which you have locally.
[TARGET_REPOSITORY]: This is the repository where you want to push the image. It could be on Docker Hub, Azure Container Registry, or another registry.
[TAG]: This is the tag you want to assign to the image, like latest, v1, v2, etc.

For example, if you have a local image named myapp, and you want to push it to Azure Container Registry, it will look something like this:

docker tag myapp myregistry.azurecr.io/myapp:v1

List Repositories in ACR

List all repositories in your ACR using the following command. Replace with the name of your Azure Container Registry:

az acr repository list --name <acrName> --output table

To list the tags for a specific repository, use the following command. Replace with your ACR name and with the name of the repository for which you want to list the tags:

az acr repository show-tags --name <acrName> --repository <repositoryName> --output table

Import from a Public Registry

To import a container image from a public registry, use the following command:

az acr import --name <acr_registry_name> --source <image_endpoint> --image <image_name>

Replace <acr_registry_name> with the name of your Azure Container Registry, <image_endpoint> with the URL of the image you want to import, and <image_name> with the name you want to give the imported image.

Permissions Required to Import Images

To import images, you need to have the appropriate permissions. Here’s an example of a custom role definition that grants the necessary permissions:

{
  "assignableScopes": [
    "/subscriptions/<subscription_id>"
  ],
  "description": "Can import images to registry",
  "Name": "AcrImport",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/push/write",
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/importImage/action"
      ],
      "dataActions": [],
      "notActions": [],
      "notDataActions": []
    }
  ],
  "roleType": "CustomRole"
}