ACR Tokens support for authentication

[Flasheh]

The feature is still in preview, but you can generate tokens for ACR that are (optionally) scoped to specific repositories and with limited permissions.

Having the ability to use these tokens for authentication would be a huge improvement.

Docs:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions

[davidcollom]

Hey @Flasheh,

Sorry that its taken so long to respond - I'm not 100% fermilier with Azure, but this looks like its a key/token per repo, which would mean we'd need to have something similar to the selfHosted approach of multiple keys.

This isn't too much of an issue to implement, if you could confirm my understanding I'd be happy to implement this.

FWIW - I have been planning/looking this week to get version-checker to support ManagedIdentity and native AKS Identity / WorkloadIdentity via the azure go SDK.

[Flasheh]

hi @davidcollom

As it's been a while I don't exactly remember what the issue was with the ACR tokens. The authentication might also have changed on azure's side since it was still in preview back then. And I'm not currently using this project anywhere to do a quick test.

ACR tokens are linked to scope maps which are a set of repository-level permissions. They can be scoped to one or many repos. So tokens aren't necessarily per repo.

I'd say supporting Entra-based identities like managed IDs should probably have a higher priority. As the only real advantage of using tokens at the moment is the ability to implement repo-level permissions. But I do know there's a feature on the ACR roadmap to support similar functionality for managed IDs though. In which case token support would no longer be needed. At least for me.