In my last article I showed how to get started creating an Azure Container Instance from an Azure Container Registry.
One problem I had with the article was the security aspect;
When issued the create command:
az container create -g ContainerPlayground -n rfc-the-worlds-best-website --image redfolder.azurecr.io/the-worlds-best-website --cpu 1 --memory 1 --registry-username redfolder --registry-password "9MT56hWrpRlFFMF184DXhA/DptdOVkyq" --dns-name-label rfc-the-worlds-best-website --ports 80
The credentials I use there are the Admin account for the Container Registry. Basically the keys to the kingdom (well the Azure Container Registry).
This may not seem a massive security problem, but it is always better to go for least privileges.
Access to an organisations Docker Registry makes a tempting target for a hacker. It will likely be treated as a trusted source - and thus a create way to initiate a supply chain attack. A hacker pushes their own image to the Registry, then just leave it for you to create containers from it.
Thus in this article, I create a Service Principal within Azure Active Directory with only "pull" permissions and then use that to create my instances.
I'm starting with the Azure Container Registry with the the-worlds-best-website image.
I've removed the previous Azure Container Instance.
One of things I will want is to lock the Service Principal down to the specific Azure Container Registry. That way I avoid accidentally providing access to other Registries in my subscription (now or in the future).
I run:
az acr show --name redfolder --query id
Which gives something like:
"/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/ContainerPlayground/providers/Microsoft.ContainerRegistry/registries/redfolder"
I take that Id, and ask Azure to create a Service Principal which is scoped to that Registry (using the Id) and the just the ability to pull images (the acrpull role):
az ad sp create-for-rbac --name http://redfolder.azurecr.io-pull --scopes "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/ContainerPlayground/providers/Microsoft.ContainerRegistry/registries/redfolder" --role acrpull
Which should give you something like:
{
"appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"displayName": "redfolder.azurecr.io-pull",
"name": "http://redfolder.azurecr.io-pull",
"password": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
I can now us the above information to create my container instance (the appId is used for the registry-username and the password for the registry-password):
az container create --resource-group ContainerPlayground --name rfc-the-worlds-best-website --image redfolder.azurecr.io/the-worlds-best-website --cpu 1 --memory 1 --dns-name-label rfc-the-worlds-best-website --ports 80 --registry-username XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --registry-password XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
And we should be good to test again using http://rfc-the-worlds-best-website.northeurope.azurecontainer.io
And that's it. It may seem like a simple thing, but the less you expose your Registry's Admin credentials the better (ideally don't create Admin credentials in the first place - use Azure AD users).
And when finished, we can clean up the container to avoid incurring unnecessary costs:
az container delete -g ContainerPlayground --name rfc-the-worlds-best-website --yes