Learn the best authentication method and RBAC role for enabling third-party CI/CD access to Azure Container Registry. Ensure least privilege access with repository-scoped tokens and AcrPush role.
Table of Contents
Question
You develop a containerized application. You plan to deploy the application to a new Azure Container instance by using a third-party continuous integration and continuous delivery (CI/CD) utility.
The deployment must be unattended and include all application assets. The third-party utility must only be able to push and pull images from the registry. The authentication must be managed by Azure Active Directory (Azure AD). The solution must use the principle of least privilege.
You need to ensure that the third-party utility can access the registry.
Which authentication options should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Registry authentication method:
- Service principal
- Individual identity
- Repository-scoped access token
- Managed identity for Azure resources
RBAC role:
- AcrPull
- Owner
- AcrPush
- Contributor
Answer
Registry authentication method: Repository-scoped access token
RBAC role: AcrPush
Explanation
To enable secure, unattended access for the third-party CI/CD utility to push and pull images from the Azure Container Registry while following the principle of least privilege, you should use:
Registry authentication method: Repository-scoped access token
A repository-scoped access token provides time-limited access to specific repositories and permissions. This ensures the CI/CD utility only has the minimum permissions needed. Managed identity, service principal, and individual identity would provide overly broad, permanent access.
RBAC role: AcrPush
The AcrPush role allows pushing and pulling of images. This is the minimum role required for the CI/CD utility’s stated needs. The AcrPull role wouldn’t allow pushing. Contributor and Owner roles provide much broader permissions beyond just the container registry.
By combining a repository-scoped access token with the AcrPush role, you enable the CI/CD utility to deploy the application to Azure Container Instances in an automated yet secure and properly scoped manner, ensuring the principle of least privilege is followed.
Microsoft AZ-204 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft AZ-204 exam and earn Microsoft AZ-204 certification.