A more secure Azure Container Instance

In my last article I showed how to get started creating an Azure Container Instance from an Azure Container Registry.

One problem I had with the article was the security aspect;

When issued the create command:

az container create -g ContainerPlayground -n rfc-the-worlds-best-website --image redfolder.azurecr.io/the-worlds-best-website --cpu 1 --memory 1 --registry-username redfolder --registry-password "9MT56hWrpRlFFMF184DXhA/DptdOVkyq" --dns-name-label rfc-the-worlds-best-website --ports 80

The credentials I use there are the Admin account for the Container Registry. Basically the keys to the kingdom (well the Azure Container Registry).

This may not seem a massive security problem, but it is always better to go for least privileges.

Access to an organisations Docker Registry makes a tempting target for a hacker. It will likely be treated as a trusted source - and thus a create way to initiate a supply chain attack. A hacker pushes their own image to the Registry, then just leave it for you to create containers from it.

Thus in this article, I create a Service Principal within Azure Active Directory with only "pull" permissions and then use that to create my instances.


I'm starting with the Azure Container Registry with the the-worlds-best-website image.

I've removed the previous Azure Container Instance.

Start by getting the Azure Container Registry Id

One of things I will want is to lock the Service Principal down to the specific Azure Container Registry. That way I avoid accidentally providing access to other Registries in my subscription (now or in the future).

I run:

az acr show --name redfolder --query id

Which gives something like:


Create the Service Principal

I take that Id, and ask Azure to create a Service Principal which is scoped to that Registry (using the Id) and the just the ability to pull images (the acrpull role):

az ad sp create-for-rbac --name http://redfolder.azurecr.io-pull --scopes "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/ContainerPlayground/providers/Microsoft.ContainerRegistry/registries/redfolder" --role acrpull

Which should give you something like:

  "displayName": "redfolder.azurecr.io-pull",
  "name": "http://redfolder.azurecr.io-pull",

Create the Azure Container Instance

I can now us the above information to create my container instance (the appId is used for the registry-username and the password for the registry-password):

az container create --resource-group ContainerPlayground --name rfc-the-worlds-best-website --image redfolder.azurecr.io/the-worlds-best-website --cpu 1 --memory 1 --dns-name-label rfc-the-worlds-best-website --ports 80 --registry-username XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --registry-password XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

And we should be good to test again using http://rfc-the-worlds-best-website.northeurope.azurecontainer.io

And that's it. It may seem like a simple thing, but the less you expose your Registry's Admin credentials the better (ideally don't create Admin credentials in the first place - use Azure AD users).


And when finished, we can clean up the container to avoid incurring unnecessary costs:

az container delete -g ContainerPlayground --name rfc-the-worlds-best-website --yes

About the author:

Mark Taylor is an experience IT Consultant passionate about helping his clients get better ROI from their Software Development.

He has over 20 years Software Development experience - over 15 of those leading teams. He has experience in a wide variety of technologies and holds certification in Microsoft Development and Scrum.

He operates through Red Folder Consultancy Ltd.