# Azure Container Registry integration with Azure Active Directory
- Azure Container Registry integration with Azure Active Directory
- Azure Container Registry token claim sets
- Getting credentials programmatically
# Overview
The Azure Container Registry allows users to manage a private Docker registry on the cloud. Our service enables customers to store and manage container images across all types of Azure deployments, keep container images near deployments to reduce latency and costs, maintain Windows and Linux container images in a single Docker registry, use familiar, open-source Docker command line interface (CLI) tools, and simplify registry access management with Azure Active Directory.
The integration of Azure Container Registry with Azure Active Directory is crucial in order to enable transparent authentication and authorization of users and headless services using AAD credentials. In this scenario, a user will only have to use their AAD credentials to log-in to their private registry, and the Azure Container Service will take care of the authorization validation of each operation using the provided credentials.
Under the hood Azure Container Service utilizes the oauth2 (opens new window) authorization protocol, as described by the Docker Registry v2 authentication via central service documentation (opens new window) as well as the Docker Registry v2 Bearer token specification (opens new window). The JWT tokens generated by the Azure Container Registry are easy to observe in jwt.ms (opens new window).
# Authenticating to a registry with Azure CLI
The process to log in to the registry, from the user's perspective, is simple. The user will use the Microsoft Azure CLI 2.0:
az acr login -n contosoregistry
Internally, the CLI will follow these steps:
- Calls to Azure Resource Manager to resolve the login server for the specified registry.
- Obtains refresh credentials from the profile in use. For a headless call, this will give you the registered SPN, for a regular user this will give you a refresh token.
- Makes an HTTPS GET call to the registry server's
/v2
endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL. - Makes an HTTPS POST call to the authentication server's
POST /oauth2/exchange
endpoint, with a body indicating the grant type, the service, the tenant, and the credentials. - From the server's response, we extract an Azure Container Registry refresh token.
- Pass the refresh token as the password to the Docker CLI, using a null GUID as the username and calling
docker login
. From here on, the docker CLI takes care of the authorization cycle using oauth2.
At the end Docker will store the refresh token and go through the oauth2 flow on each operation it does against the Azure Container Registry.
# Listing a repository with Azure CLI
The Microsoft Azure CLI 2.0 allows users to also list the repositories registries, and list tags for a repository in a registry. Here's how users can achieve listing the repositories in a registry:
az acr repository list -n contosoregistry
Internally, the CLI will follow these steps:
- Calls to Azure Resource Manager to resolve the login server for the specified registry.
- Obtains refresh credentials from the profile in use. For a headless call, this will give you the registered SPN, for a regular user this will give you a refresh token.
- Makes an HTTPS GET call to the registry server's
/v2
endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL. - Makes an HTTPS POST call to the authentication server's
POST /oauth2/exchange
endpoint, with a body indicating the grant type, the service, the tenant, and the credentials. - From the server's response we extract an Azure Container Registry refresh token.
- Makes an HTTPS POST call to the authentication server's
POST /oauth2/token
endpoint, with a body indicating the grant type, the service, the scope, and the Azure Container Registry refresh token. - From the server's response we extract an Azure Container Registry access token.
- Makes an HTTPS GET call to the registry server's
GET /v2/_catalog
endpoint using the access token as the bearer token. - Obtains the data from the service and displays it.
When listing the tags of a repository, every step above is the same except for the call to the endpoint that gives the tags which is GET /v2/contosoregistry/tags/list
instead of GET /v2/_catalog
.
# Azure Container Registry token claim sets
Following the command of repository list in the previous section:
az acr repository list -n contosoregistry
A JWT refresh token extracted at step 5 has the following claim set:
{
"jti": "365e3b5b-844e-4a21-a38c-4d8aebdd6a06",
"sub": "user@contoso.com",
"nbf": 1497988712,
"exp": 1497990801,
"iat": 1497988712,
"iss": "Azure Container Registry",
"aud": "contosoregistry.azurecr.io",
"version": "1.0",
"grant_type": "refresh_token",
"tenant": "409520d4-8100-4d1d-ad47-72432ddcc120",
"permissions": {
"actions": [
"*"
],
"notActions": []
},
"roles": []
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Followed by an access token at step 7 with the following claim set:
{
"jti": "ec425c1e-7eda-4f70-adb5-19f927e34a41",
"sub": "user@contoso.com",
"nbf": 1497988907,
"exp": 1497993407,
"iat": 1497988907,
"iss": "Azure Container Registry",
"aud": "contosoregistry.azurecr.io",
"version": "1.0",
"access": [
{
"type": "registry",
"name": "catalog",
"actions": [
"*"
]
}
],
"roles": [],
"grant_type": "access_token"
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Getting credentials programmatically
In order to sign in to a container you'll need to exchange AAD credentials for ACR credentials. The accepted form of credential exchange are:
- AAD access token.
- [Deprecated] AAD refresh token.
- [Deprecated] AAD access token and refresh token.
The AAD access token is used to talk to the Azure Resource Manager and query for the set of permissions that the user has for the container registry resource.
[Deprecated] The AAD refresh token is used in two ways:
- If no AAD access token was presented, the AAD refresh token is used to obtain an AAD access token.
- The AAD refresh token is sent back to the user so they can initiate a token refresh cycle against AAD. If no AAD refresh token is sent, then the client won't have this credential at hand to initiate a credential refresh.
The cycle to get credentials looks as follows:
- Call
POST /oauth2/exchange
presenting the AAD access token or the AAD refresh token [Deprecated]. The service will return you an ACR refresh token. - Call
POST /oauth2/token
presenting the ACR refresh token. The service will return you an ACR access token which you can use to call the Azure Container Registry's APIs.
# Calling POST /oauth2/exchange
to get an ACR refresh token
In this example, we'll try to obtain an ACR refresh token from existing AAD tokens. Assume you have the following:
- A valid container registry, which here we'll call
contosoregistry.azurecr.io
. - The AAD tenant identifier associated to the credentials, which here we'll take to be
409520d4-8100-4d1d-ad47-72432ddcc120
. - Valid AAD access token credential with access to the aforementioned container registry.
The AAD access token can be obtained from the Azure CLI. After running az login
check file $HOME/.azure/accessTokens.json
(%HOMEDRIVE%%HOMEPATH%\.azure\accessTokens.json
in Windows) for the token values.
We'll now call POST /oauth2/exchange
to exchange the AAD tokens for an ACR refresh token. Here's how such a call looks when done via curl
:
registry="contosoregistry.azurecr.io"
tenant="409520d4-8100-4d1d-ad47-72432ddcc120"
aad_access_token="eyJ...H-g"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
"grant_type=access_token&service=$registry&tenant=$tenant&access_token=$aad_access_token" \
https://$registry/oauth2/exchange
2
3
4
5
6
The body of the POST message is a querystring-like text that specifies the following values:
grant_type
, which can take a value ofaccess_token
, oraccess_token_refresh_token
[Deprecated], orrefresh_token
[Deprecated].service
, which must indicate the name of your Azure container registry.tenant
, which is the AAD tenant associated to the AAD credentials.access_token
, the AAD access token, mandatory whengrant_type
isaccess_token
oraccess_token_refresh_token
[Deprecated].- [Deprecated]
refresh_token
, the AAD refresh token, mandatory whengrant_type
isaccess_token_refresh_token
orrefresh_token
.
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
{"refresh_token":"eyJ...L7a"}
This response is the ACR refresh token which you can inspect with jwt.ms (opens new window). You can now use it to obtain an ACR access token programmatically or simply send it to the docker login
command to get docker talking to the Azure Container Registry.
# Authenticating docker with an ACR refresh token
Once you have obtained an ACR refresh token, you can use the docker CLI to sign in to your registry like this:
registry="contosoregistry.azurecr.io"
acr_username="00000000-0000-0000-0000-000000000000"
acr_refresh_token="eyJ...L7a"
docker login -u "$acr_username" -p "$acr_refresh_token" $registry
2
3
4
The null GUID tells the container registry that this is an ACR refresh token during the login flow. Once the authentication succeeds you can talk to the Azure Container Registry with commands like docker pull
and docker push
. For example:
docker pull contosoregistry.azurecr.io/contoso-marketing
Notice that the ACR refresh token will be saved by the docker CLI in its credential store, and will be used by the docker CLI to obtain an ACR access token on each operation it performs against the Azure Container Registry. The ACR refresh token is made so it stops working after a period of time, but if you obtained it using either grant_type=access_token_refresh_token
or grant_type=refresh_token
then it can be refreshed automatically by installing the ACR docker credential helper (opens new window).
# Calling POST /oauth2/token
to get an ACR access token
In this example, we'll try to obtain an ACR access token from existing ACR refresh token, and this access token will only work for the operation we're trying to perform, which is a call to the GET /v2/_catalog
API. Assume you have the following:
- A valid container registry, which here we'll call
contosoregistry.azurecr.io
. - A valid ACR refresh token.
The first thing you want is to obtain an authentication challenge for the operation you want to on the Azure Container Registry. That can be done by targetting the API you want to call without any authentication. Here's how to do that via curl
:
registry="contosoregistry.azurecr.io"
curl -v https://$registry/v2/_catalog
2
Note that curl
by default does the request as a GET
unless you specify a different verb with the -X
modifier.
This will output the following payload, with ...
used to shorten it for illustrative purposes:
< HTTP/1.1 401 Unauthorized
...
< Www-Authenticate: Bearer realm="https://contosoregistry.azurecr.io/oauth2/token",service="contosoregistry.azurecr.io",scope="registry:catalog:*"
...
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]}
2
3
4
5
Notice the response payload has a header called Www-Authenticate
that gives us the following information:
- The type of challenge:
Bearer
. - The realm of the challenge:
https://contosoregistry.azurecr.io/oauth2/token
. - The service of the challenge:
contosoregistry.azurecr.io
. - The scope of the challenge:
registry:catalog:*
.
The body of the payload might provide additional details, but all the information you need is contained in the Www-Authenticate
header.
With this information we're now ready to call POST /oauth2/token
to obtain an ACR access token that will allow us to use the GET /v2/_catalog
API. Here's how such a call looks when done via curl
:
registry="contosoregistry.azurecr.io"
acr_refresh_token="eyJ...L7a"
scope="registry:catalog:*"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
"grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" \
https://$registry/oauth2/token
2
3
4
5
6
The body of the POST message is a querystring-like text that specifies the following values:
grant_type
which is expected to berefresh_token
.service
, which must indicate the name of your Azure container registry. You obtained this from theWww-Authenticate
response header from the challenge.scope
, which is expected to be a valid scope (opens new window), and can be specified more than once for multiple scope requests. You obtained this from theWww-Authenticate
response header from the challenge.refresh_token
, which must be a valid ACR refresh token, as obtained by callingPOST /oauth2/exchange
.
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
{"access_token":"eyJ...xcg"}
This response is the ACR access token which you can inspect with jwt.ms (opens new window). You can now use it to call APIs exposed by the Azure Container Registry
# Calling POST /oauth2/token
to get an ACR access token for Helm repository
In this example, we'll try to obtain an ACR access token from existing ACR refresh token to access Helm repository, and this access token will only work for the operation we're trying to perform, which is a call to the GET /helm/v1/repo/index.yaml
API. Assume you have the following:
- A valid container registry, which here we'll call
contosoregistry.azurecr.io
. - A valid ACR refresh token.
The first thing you want is to obtain an authentication challenge for the operation you want to on the Azure Container Registry. That can be done by targetting the API you want to call without any authentication. Here's how to do that via curl
:
registry="contosoregistry.azurecr.io"
curl -v https://$registry/helm/v1/repo/index.yaml
2
Note that curl
by default does the request as a GET
unless you specify a different verb with the -X
modifier.
This will output the following payload, with ...
used to shorten it for illustrative purposes:
< HTTP/1.1 401 Unauthorized
...
< Www-Authenticate: Bearer realm="https://contosoregistry.azurecr.io/oauth2/token",service="contosoregistry.azurecr.io",scope="artifact-repository:repo:pull"
...
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"artifact-repository","Name":"repo","Action":"pull"}]}]}
2
3
4
5
Notice the response payload has a header called Www-Authenticate
that gives us the following information:
- The type of challenge:
Bearer
. - The realm of the challenge:
https://contosoregistry.azurecr.io/oauth2/token
. - The service of the challenge:
contosoregistry.azurecr.io
. - The scope of the challenge:
artifact-repository:repo:pull
.
The body of the payload might provide additional details, but all the information you need is contained in the Www-Authenticate
header.
With this information we're now ready to call POST /oauth2/token
to obtain an ACR access token that will allow us to use the GET /helm/v1/repo/index.yaml
API. Here's how such a call looks when done via curl
:
registry="contosoregistry.azurecr.io"
acr_refresh_token="eyJ...L7a"
scope="artifact-repository:repo:pull"
curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
"grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" \
https://$registry/oauth2/token
2
3
4
5
6
The body of the POST message is a querystring-like text that specifies the following values:
grant_type
which is expected to berefresh_token
.service
, which must indicate the name of your Azure container registry. You obtained this from theWww-Authenticate
response header from the challenge.scope
, which is expected to be aartifact-repository:repo:pull
for read operations andartifact-repository:repo:*
for write operations, and can be specified more than once for multiple scope requests. You obtained this from theWww-Authenticate
response header from the challenge.refresh_token
, which must be a valid ACR refresh token, as obtained by callingPOST /oauth2/exchange
.
The outcome of this operation will be a response with status 200 OK and a body with the following JSON payload:
{"access_token":"eyJ...xcg"}
This response is the ACR access token which you can inspect with jwt.ms (opens new window). You can now use it to call APIs exposed by the Azure Container Registry. Refer the full script to fetch the helm index.yaml.
# Calling an Azure Container Registry API
In this example we'll call catalog listing and tag listing APIs on an Azure Container Registry.
# Catalog Listing
Assume you have the following:
- A valid container registry, which here we'll call
contosoregistry.azurecr.io
. - A valid ACR access token, created with the correct scope for the API we're going to call.
Here's how a call to the GET /v2/_catalog
API of the given registry would look like when done via curl
:
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
curl -v -H "Authorization: Bearer $acr_access_token" https://$registry/v2/_catalog
2
3
Note that curl
by default does the request as a GET
unless you specify a different verb with the -X
modifier.
This should result in a status 200 OK, and a body with a JSON payload listing the repositories held in this registry:
{"repositories":["alpine","contoso-marketing","hello-world","node"]}
# Pagination
To retrieve paginated catalog results, add an n
parameter to limit the number or results. We take n=2
as example:
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
limit=2
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/_catalog?n=$limit"
2
3
4
This should result in a status 200 OK, and a body with a JSON payload listing the first n
repositories held in this registry. If there are more results, a Link
header containing the request URL for the next result block is also returned. If the entire result set has been received, the Link
header will not be returned.
In this case, the first 2 repositories are returned, and there are more entries in the result set. The response would look like:
< HTTP/1.1 200 OK
...
Content-Type: application/json
Link: </v2/_catalog?last=contoso-marketing&n=2&orderby=>; rel="next"
{"repositories": ["alpine","contoso-marketing"]}
2
3
4
5
6
To get the next result block, issue the request using the /v2/_catalog?last=contoso-marketing&n=2&orderby=
URL encoded in the Link
header. Here is how the call would look like:
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/_catalog?last=contoso-marketing&n=2&orderby="
You can query the paginated results in a loop, as the following shows:
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
limit=2
operation=/v2/_catalog?n=$limit
headers=$(mktemp -t headers.XXXXX)
while [ -n "$operation" ]
do
echo "Operation"
echo $operation
catalog=$(curl -H "Authorization: Bearer $acr_access_token" "https://$registry$operation" -D $headers)
echo "Catalog"
echo $catalog
operation=$(cat $headers | sed -n 's/^Link: <\(.*\)>.*/\1/p')
done
rm $headers
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
For more information, visit Docker V2 API Reference - Listing Repositories (opens new window).
# Tag Listing
Assume you have the following:
- A valid container registry, which here we'll call
contosoregistry.azurecr.io
. - A valid ACR access token, created with the correct scope for the API we're going to call.
- A valid image in the registry, for example
hello-world
.
Here's how a call to the GET /v2/<name>/tags/list
API of the given image would look like when done via curl
:
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
image="hello-world"
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/$image/tags/list"
2
3
4
Note that curl
by default does the request as a GET
unless you specify a different verb with the -X
modifier.
This should result in a status 200 OK, and a body with a JSON payload listing the tags of this image:
{"name": "hello-world","tags": ["latest","v1","v2","v3"]}
# Pagination
To retrieve paginated tag results, add an n
parameter to limit the number or results. We take n=2
as example:
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
image="hello-world"
limit=2
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/$image/tags/list?n=$limit"
2
3
4
5
This should result in a status 200 OK, and a body with a JSON payload listing the first n
tags of this image. If there are more results, a Link
header containing the request URL for the next result block is also returned. If the entire result set has been received, the Link
header will not be returned.
In this case, the first 2 tags are returned, and there are more entries in the result set. The response would look like:
< HTTP/1.1 200 OK
...
Content-Type: application/json
Link: </v2/hello-world/tags/list?last=v1&n=2&orderby=>; rel="next"
{"name":"hello-world","tags":["latest","v1"]}
2
3
4
5
6
To get the next result block, issue the request using the /v2/hello-world/tags/list?last=v1&n=2&orderby=
URL encoded in the Link
header. Here is how the call would look like:
curl -v -H "Authorization: Bearer $acr_access_token" "https://$registry/v2/$image/tags/list?last=v1&n=2&orderby="
You can query the paginated results in a loop, as the following shows:
registry="contosoregistry.azurecr.io"
acr_access_token="eyJ...xcg"
image="hello-world"
limit=2
operation=/v2/$image/tags/list?n=$limit
headers=$(mktemp -t headers.XXXXX)
while [ -n "$operation" ]
do
echo "Operation"
echo $operation
tags=$(curl -H "Authorization: Bearer $acr_access_token" "https://$registry$operation" -D $headers)
echo "Tags"
echo $tags
operation=$(cat $headers | sed -n 's/^Link: <\(.*\)>.*/\1/p')
done
rm $headers
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
For more information, visit Docker V2 API Reference - Listing Image Tags (opens new window).
# Samples API Call scripts
This is a summary script of the points discussed above. The first three variables have to be filled out.
- Variable
registry
can be something like"contosoregistry.azurecr.io"
. - The AAD access token and AAD refresh token values can be obtained from the Azure CLI, after running
az login
check file$HOME/.azure/accessTokens.json
(%HOMEDRIVE%%HOMEPATH%\.azure\accessTokens.json
in Windows) for the token values.
Note that a stale AAD tokens will result in this script failing to obtain an ACR refresh token, and therefore it won't succeed in obtaining an ACR access token or in executing the operation against the registry.
# Catalog Listing with AAD refresh token
#!/bin/bash
registry=" --- you have to fill this out --- "
aad_refresh_token=" --- you have to fill this out --- "
aad_access_token=" --- you have to fill this out --- "
operation="/v2/_catalog"
acr_refresh_token=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=access_token_refresh_token&service=$registry&refresh_token=$aad_refresh_token&access_token=$aad_access_token" https://$registry/oauth2/exchange | jq '.refresh_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Refresh Token"
echo $acr_refresh_token
challenge=$(curl -vs https://$registry$operation 2>&1 | grep "Www-Authenticate:")
echo "Challenge"
echo $challenge
scope=$(echo $challenge | egrep -o 'scope=\"([^\"]*)\"' | egrep -o '\"([^\"]*)\"' | sed -e 's/^"//' -e 's/"$//')
echo "Scope"
echo $scope
acr_access_token=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" https://$registry/oauth2/token | jq '.access_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token"
echo $acr_access_token
catalog=$(curl -s -H "Authorization: Bearer $acr_access_token" https://$registry$operation)
echo "Catalog"
echo $catalog
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Catalog listing using SP/Admin with Basic Auth
Here's an equivalent set of scripts that will allow you to execute an operation against an Azure Container Registry, but this time using only the admin credentials, and not AAD.
If you'd like to use basic auth, you can do a direct call to the registry like this:
#!/bin/bash
registry=" --- you have to fill this out --- "
user=" --- you have to fill this out --- "
password=" --- you have to fill this out --- "
operation="/v2/_catalog"
credentials=$(echo -n "$user:$password" | base64 -w 0)
catalog=$(curl -s -H "Authorization: Basic $credentials" https://$registry$operation)
echo "Catalog"
echo $catalog
2
3
4
5
6
7
8
9
10
11
12
13
# Catalog listing using Admin Keys with Bearer Auth
If you'd like to use bearer auth, you have to first convert your admin credentials to an ACR access token like this:
#!/bin/bash
registry=" --- you have to fill this out --- "
user=" --- you have to fill this out --- "
password=" --- you have to fill this out --- "
operation="/v2/_catalog"
challenge=$(curl -vs https://$registry$operation 2>&1 | grep "Www-Authenticate:")
echo "Challenge"
echo $challenge
scope=$(echo $challenge | egrep -o 'scope=\"([^\"]*)\"' | egrep -o '\"([^\"]*)\"' | sed -e 's/^"//' -e 's/"$//')
echo "Scope"
echo $scope
credentials=$(echo -n "$user:$password" | base64 -w 0)
acr_access_token=$(curl -s -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic $credentials" "https://$registry/oauth2/token?service=$registry&scope=$scope" | jq '.access_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token"
echo $acr_access_token
catalog=$(curl -s -H "Authorization: Bearer $acr_access_token" https://$registry$operation)
echo "Catalog"
echo $catalog
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Docker login with ACR Access Token - Single repository scope
The following script uses an AAD token to request an 'ACR access token` which can be used as a docker login credential.
#/bin/sh
set -e
REGISTRY=" --- you have to fill this out --- "
REPOSITORY=" --- you have to fill this out --- "
AAD_ACCESS_TOKEN=$(az account get-access-token --query accessToken -o tsv)
ACR_REFRESH_TOKEN=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=access_token&service=$REGISTRY&access_token=$AAD_ACCESS_TOKEN" \
https://$REGISTRY/oauth2/exchange \
| jq '.refresh_token' \
| sed -e 's/^"//' -e 's/"$//')
echo "ACR Refresh Token obtained."
# Create the repo level scope
SCOPE="repository:$REPOSITORY:pull"
# to pull multiple repositories passing in multiple scope arguments.
#&scope="repository:repo:pull,push"
ACR_ACCESS_TOKEN=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&service=$REGISTRY&scope=$SCOPE&refresh_token=$ACR_REFRESH_TOKEN" \
https://$REGISTRY/oauth2/token \
| jq '.access_token' \
| sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token obtained."
# Docker Login using the ACR_ACCESS_TOKEN
echo docker login into $REGISTRY
docker login -u 00000000-0000-0000-0000-000000000000 -p $ACR_ACCESS_TOKEN $REGISTRY
docker pull $REGISTRY/$REPOSITORY
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Fetch helm index.yaml with Admin Keys or SP with Basic Auth
#!/bin/bash
registry=" --- you have to fill this out --- "
user=" --- you have to fill this out --- "
password=" --- you have to fill this out --- "
operation="/helm/v1/repo/index.yaml"
challenge=$(curl -vs https://$registry$operation 2>&1 | grep "Www-Authenticate:")
echo "Challenge"
echo $challenge
scope=$(echo $challenge | egrep -o 'scope=\"([^\"]*)\"' | egrep -o '\"([^\"]*)\"' | sed -e 's/^"//' -e 's/"$//')
echo "Scope"
echo $scope
credentials=$(echo -n "$user:$password" | base64 -w 0)
acr_access_token=$(curl -s -H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic $credentials" "https://$registry/oauth2/token?service=$registry&scope=$scope" | jq '.access_token' | sed -e 's/^"//' -e 's/"$//')
echo "ACR Access Token"
echo $acr_access_token
#Retrieve the location header and strip the trailing \r for curl
URL=$(curl -sD - -H "Authorization: Bearer $acr_access_token" https://$registry$operation | grep -Fi Location | awk '{print $2}' | tr -d '\r')
echo Location=$URL
echo index.yaml
echo ----------
curl $URL
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29