Hello @yuxuan li ,
Thank you for your question, let me answer your questions as below:
- How does the username and password-based ACR authentication work behind the scenes? Does it involve or bypass AAD?
When you use a username and password generated by Azure Container Registry (ACR), it does not directly involve Azure Active Directory (AAD) for each authentication request. Instead, ACR provides an admin account with a username and password that can be used for direct authentication.
Here’s how it works:
- Admin Account: ACR allows you to enable an admin user account, which provides a username and password specifically for the registry.
- Direct Authentication: This username and password can be used directly with Docker commands (e.g.,
docker login
) to authenticate and interact with the registry. - Is it possible to use dSTS-based tokens for ACR authentication? Is there a way for us to have a dSTS dependency for ACR authentication?
Currently, ACR primarily supports authentication through AAD tokens. The available methods include:
- Individual login with Microsoft Entra ID: Using personal or service principal credentials.
- Service principal: For headless authentication scenarios.
- Managed identities: For Azure resources
There is no direct support for using dSTS-based tokens for ACR authentication. ACR relies on AAD for token issuance and validation, and there isn’t a documented method to replace this with dSTS tokens.
Given your requirements to avoid dependencies on AAD (ESTS), you might consider the following alternatives:
- Service Principal with Certificates: Instead of using username and password, you can use a service principal with certificate-based authentication. This enhances security and can be managed more easily3.
- Managed Identities: If your service is running on Azure, using managed identities can simplify the authentication process without needing to manage credentials directly1.
If avoiding AAD entirely is a strict requirement, you might need to explore other container registry solutions that support different authentication mechanisms.
Would you like more details on any of these alternatives or have other questions?