Create Trusted Images in Azure Container Registry | Azure Role Assignments

Assigning Roles to User1 for Trusted Image Creation in Azure Container Registry

Prev Question Next Question

Question

You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ConReg1.

You enable content trust for ContReg1.

You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.

Which two roles should you assign to User1? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Answers

A. AcrQuarantineReader

B. Contributor

C. AcrPush

D. AcrImageSigner

E. AcrQuarantineWriter

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-content-trust https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles

To allow User1 to create trusted images in ConReg1 while following the principle of least privilege, you need to assign two roles to User1. These roles are:

C. AcrPush: This role enables User1 to push (upload) images to the container registry. To create trusted images, User1 needs to push the images to ConReg1 and sign them with a trusted key. Assigning only this role to User1 ensures that they can push images to ConReg1, but they cannot sign or modify existing images.

D. AcrImageSigner: This role enables User1 to sign images with a trusted key. With this role, User1 can create trusted images in ConReg1 by signing the images they push with a trusted key. Assigning this role in addition to AcrPush ensures that User1 has the necessary permissions to create trusted images while still following the principle of least privilege.

The other roles listed in the answers are not required for this scenario:

A. AcrQuarantineReader: This role enables User1 to read images that are in quarantine in ConReg1. It is not required for creating trusted images.

B. Contributor: This role grants full access to all resources in the subscription. It is not necessary for the specific task of creating trusted images in ConReg1 and goes against the principle of least privilege.

E. AcrQuarantineWriter: This role enables User1 to add or remove images from quarantine in ConReg1. It is not required for creating trusted images.

Prev Question Next Question