Your company has an Azure Container Registry.
You have been tasked with assigning a user a role that allows for the downloading of images from the Azure Container Registry. The role assigned should not require more privileges than necessary.
Which of the following is the role you should assign?
To download images from an Azure Container Registry, you should assign a role that grants the necessary permissions without providing excessive access. The appropriate role for this task is 'AcrPull,' which specifically allows the pulling (downloading) of images from the registry without granting broader access or additional permissions. Other roles like 'Reader' provide more extensive access than required, 'Contributor' grants the ability to manage all aspects of a resource, and 'AcrDelete' allows for deleting images—all exceeding the minimal necessary permissions for the task at hand. Therefore, the 'AcrPull' role is the correct choice.
Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]
agree read can Access Resource Manager and Pull, but AcrPull role is just for pulling the image.
Perfect!
correct
CORRECT. NOT SURE Y EVERYONE THINKS YOU NEED THE READER ROLE FOR THIS SCENARIO. FROM MICROSOFT: Azure Resource Manager access is required for the Azure portal and registry management with the Azure CLI. For example, to get a list of registries by using the az acr list command, you need this permission set.
Answer is Wrong.... Correct answer is D AcrPull
ACR Pull?
ACR Pull seems the better option considering "least privileges": https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli#pull-image
If the question asked for Download Image then AcrPull
reader role has AcrPull and Access Resource Manager
Which of the following is the role you should assign? AcrPull is permission not role.
The correct answer should be D
The correct answer is D, this has the least privileges in accordance with the following Microsoft article. https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
I will go also for ArcPull (D)
D. AcrPull
Although I agree w the panel that the answer is acrPull, the question asks specifically about pulling or downloading the image and do ACR tasks to it. Although Reader has both "Access Resource manager" and "Pull" functions, a Reader does just that, it reads and will not function in the capacity for the ACR. I would say "Reader" is a probable answer.
D is correct
Excellent function to override wrong answer !
AcrPull can only pull image and A is wrong because got more access than is needed it can Access Resource Manager. Correct answer is D !
Answer is D
D is correct
D is correct, can ExamTopics Admin look to research and correct these answers??
I agree that READER is not the correct answer here Reader also gives you the Access Resource Manager role which is more priviliegs than is reuired to download an image. the ANSWER here is D Acrpull
D is correct. https://docs.microsoft.com/en-gb/learn/modules/enable-containers-security/6-enable-azure-container-registry-authentication
Reader provides more than requested access
D. AcrPull is correct
Following and article from Microsoft, ArcPull role will provide the least privilege access: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli D. Arc Pull Since Reader has more access than necessary
Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]
The role that should be assigned to allow for the downloading of images from the Azure Container Registry without granting unnecessary privileges is "AcrPull". The AcrPull role provides read-only permissions to pull images from the registry. This role is the minimum required permission to pull an image. It does not allow pushing or modifying images or managing the registry itself. The other options are not the best fit for this scenario: The Reader role provides read-only access to all resources within a resource group, which includes the container registry. However, this role is too broad and provides more access than needed for just pulling images. The Contributor role provides the ability to manage all aspects of a resource, including creating, modifying, and deleting. This role is more permissions than are necessary for just pulling images. The AcrDelete role provides the ability to delete repositories and images from the registry. This role is more permissions than are necessary for just pulling images.
Keyline " The role assigned should not require more privileges than necessary". As per the link which I will mention in my last line; Role: ArcPull has one permission = (Pull Image) Role: Reader has two permission = (Access Resource Manager) + (Pull Image) So according to the keyline Statement; Answer should be ArcPull Reference: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
AcrPull for sure. The more specific answer wins.
Should be D
In my view, the correct answer is Arc Pull (D) as this role only has single authorization to pull the image. The reader holds more privileges than Arc Pull.
Correct Answer is D Dockers images upload permissions: Contributor, ArcPush Docker images download permissions: Contributor, ArcPull, ArcPush
pull is correct
wrong answer: It should be D
Arc Pull has minimum required access
In reference https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles AcrPull only pull... Reader two permissions, (Access Resource Management)
AcrPUll should be the answer as it follows the principal of least privileges
the question says you only need to download, not upload images. the answer is A (Reader is OK)
Reader permission has to much access
Option A provides two permissions while D, provides one.
I believe the correct answer is D AcrPull Pull artifacts from a container registry. 7f951dda-4ed3-4680-a7ca-43fe172d538d Reader View all resources, but does not allow you to make any changes. acdd72a7-3385-48ef-bd42-f606fba81ae7
AcrPull, always use the theory of least privilege
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli
Perfect!
as others have explained too, and quite obvious as per doco here: https://learn.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli
D. AcrPull https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles
Reader can access Resources Manager. So it doesn't satisfy the least previlage condition mentioned in the question. Acrpull is the right answer.
D. AcrPull
arcpull is correct
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli
D is correct
D is the answer. https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles
AcrPull is the correct answer ! When we apply the principle of Least privilege
D. ArcPull
Most certainly agreed with the above statements. Unless proven otherwise, the answer D is correct as pert MS documentation.
Answer is ARCPULL Arcpull can only pull and image Reader can access access Resource Manager and PULL Least access is ArcPull case closed!!!
Clearly stated in the reference
The role you should assign is AcrPull because it specifically grants the ability to pull (download) images from the Azure Container Registry, which is the required permission for the user. Assigning the Reader role would provide broader access than necessary, as it includes permissions beyond image pulling. Similarly, assigning the Contributor role would grant excessive privileges, as it includes permissions for creating, deleting, and modifying resources, which are not required for simply downloading images. The AcrDelete role is also not suitable, as it specifically grants permission to delete image data from the registry, which is not needed for the task described. Therefore, AcrPull is the most appropriate role that meets the requirement of allowing image downloading without granting unnecessary privileges. https://learn.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli
Wrong answer. Correct answer is D - AcrPull. Viewing the available images in the registry is not enough, you actually have to be able to download (pull) them.
Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for.
Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]
Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]
Answer: D, AcrPull Reason: AcrPull role provides minimum required permissions to pull/download images from Azure Container Registry while following the principle of least privilege. Reader, Contributor, and AcrDelete either provide insufficient or excessive permissions. Reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles
Reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles