Your company has an Azure Container Registry.
You have been tasked with assigning a user a role that allows for the downloading of images from the Azure Container Registry. The role assigned should not require more privileges than necessary.
Which of the following is the role you should assign?
To download images from an Azure Container Registry, you should assign a role that grants the necessary permissions without providing excessive access. The appropriate role for this task is 'AcrPull,' which specifically allows the pulling (downloading) of images from the registry without granting broader access or additional permissions. Other roles like 'Reader' provide more extensive access than required, 'Contributor' grants the ability to manage all aspects of a resource, and 'AcrDelete' allows for deleting images—all exceeding the minimal necessary permissions for the task at hand. Therefore, the 'AcrPull' role is the correct choice.
Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]
agree read can Access Resource Manager and Pull, but AcrPull role is just for pulling the image.
Perfect!
correct
CORRECT. NOT SURE Y EVERYONE THINKS YOU NEED THE READER ROLE FOR THIS SCENARIO. FROM MICROSOFT: Azure Resource Manager access is required for the Azure portal and registry management with the Azure CLI. For example, to get a list of registries by using the az acr list command, you need this permission set.
Answer is Wrong.... Correct answer is D AcrPull
D. AcrPull
The role that should be assigned to allow for the downloading of images from the Azure Container Registry without granting unnecessary privileges is "AcrPull". The AcrPull role provides read-only permissions to pull images from the registry. This role is the minimum required permission to pull an image. It does not allow pushing or modifying images or managing the registry itself. The other options are not the best fit for this scenario: The Reader role provides read-only access to all resources within a resource group, which includes the container registry. However, this role is too broad and provides more access than needed for just pulling images. The Contributor role provides the ability to manage all aspects of a resource, including creating, modifying, and deleting. This role is more permissions than are necessary for just pulling images. The AcrDelete role provides the ability to delete repositories and images from the registry. This role is more permissions than are necessary for just pulling images.
Following and article from Microsoft, ArcPull role will provide the least privilege access: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli D. Arc Pull Since Reader has more access than necessary
arcpull is correct
https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli
D is correct
D is the answer. https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles
AcrPull is the correct answer ! When we apply the principle of Least privilege
D. ArcPull
Most certainly agreed with the above statements. Unless proven otherwise, the answer D is correct as pert MS documentation.
Answer is ARCPULL Arcpull can only pull and image Reader can access access Resource Manager and PULL Least access is ArcPull case closed!!!
Clearly stated in the reference
The role you should assign is AcrPull because it specifically grants the ability to pull (download) images from the Azure Container Registry, which is the required permission for the user. Assigning the Reader role would provide broader access than necessary, as it includes permissions beyond image pulling. Similarly, assigning the Contributor role would grant excessive privileges, as it includes permissions for creating, deleting, and modifying resources, which are not required for simply downloading images. The AcrDelete role is also not suitable, as it specifically grants permission to delete image data from the registry, which is not needed for the task described. Therefore, AcrPull is the most appropriate role that meets the requirement of allowing image downloading without granting unnecessary privileges. https://learn.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli
Wrong answer. Correct answer is D - AcrPull. Viewing the available images in the registry is not enough, you actually have to be able to download (pull) them.