Exam AZ-204 All QuestionsBrowse all questions from this exam
Go to Exam
Question 189

HOTSPOT -

You develop a containerized application. You plan to deploy the application to a new Azure Container instance by using a third-party continuous integration and continuous delivery (CI/CD) utility.

The deployment must be unattended and include all application assets. The third-party utility must only be able to push and pull images from the registry. The authentication must be managed by Azure Active Directory (Azure AD). The solution must use the principle of least privilege.

You need to ensure that the third-party utility can access the registry.

Which authentication options should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Service principal -

    Applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal.

    Incorrect Answers:

    ✑ Individual AD identity does not support unattended push/pull

    ✑ Repository-scoped access token is not integrated with AD identity

    ✑ Managed identity for Azure resources is used to authenticate to an Azure container registry from another Azure resource.

    Box 2: AcrPush -

    AcrPush provides pull/push permissions only and meets the principle of least privilege.

    Incorrect Answers:

    AcrPull only allows pull permissions it does not allow push permissions.

    ✑ Owner and Contributor allow pull/push permissions but does not meet the principle of least privilege.

    Reference:

    https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli

Discussion
gmishra88

Correct. It is only service principal. acr-token: cannot be because the AD authentication requirement. The roles are RBAC but the identity is not AD managed Managed identity: Not an option because it is third party AcrPush includes AcrPull. I did not know that nuance and the choice made by Microsoft to do this

macobuzi

I don't understand, Why not Managed Identity? Azure Container Apps also support Managed Identity.

ProtossOR89144

- "An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources." - correct : "AcrPush includes AcrPull"

dtctx

Got this 4/29. I passed test, but scored poorly in third party integration questions. I went with Managed Identity and Contributor, and I think both are WRONG. I had not heard of ACR Push/Pull, so went with Contributor, but upon learning that ACR Push satisfies least privilege, that is probably the best answer. Table of privileges: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli I suggest ACR Push is the correct permission level.

sarmaria

Got this on 16/03/23. Chosen Service Principal and AcrPush. Make sure to prepare for case study. I got city and lights case study. No Kubernetes, Search, Logic Apps questions for me.

hubekpeter

Individual identity - no, you don't want to use somebody's username, when he left, service will stop working (saw this tens of times). Managed identity - yes that could work, but you're not sure if CI/CD is running on Azure resource. Repository scoped access token - the next question would be regarding Scope Map, but they are apparently asking about RBAC role. So the correct answer is Service Principal with AcrPush role, which will meet the least priviledge requirement.

mabdo

on exam 02/23

Esward

Service Principal and AcrPush are correct answers! https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli

130nk3r5

To meet all the requirements, you should use the following authentication options: Service Principal: A service principal is an identity that is used by a service or application to log in and access Azure resources. You can assign specific permissions to the service principal to adhere to the principle of least privilege. This will allow the third-party CI/CD utility to authenticate with Azure AD. Role-Based Access Control (RBAC): After creating the service principal, you should assign it a role that only allows it to push and pull images from the Azure Container Registry. The "AcrPush" role could be a good fit as it allows the service principal to push and pull images, but doesn't grant any other permissions. Remember to store the service principal's credentials securely in the CI/CD utility.

OPT_001122

service principal AcrPush

coffecold

The question is about access to 'a' registry. Nowhere in the question is stated that Azure Container Registry (ACR) is used. It talks about "the registry", that is confusing. Provided Azure Container Registry (ACR) is used, then the answer is correct. If an other kind of registry is used to store the images the answer can be everything (depending on the registry used).

finnishr

The answer is correct.

vvlads

why not managed identity? Use only from select Azure services that support managed identities for Azure resources https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli resources: ...Azure Container Registry... https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status#azure-services-that-support-managed-identities-for-azure-resources

coffecold

The CI/CD is third party.

sghaha

https://docs.microsoft.com/ko-kr/azure/container-registry/container-registry-authentication?tabs=azure-cli

bgbgvfvf

answer is correct

Stann07

Service Principal: Service principals are non-interactive Azure accounts. Using them with CI/CD utilities allows for Unattended deployments. AcrPull: This role can only pull images from the registry. This is here certainly the role with the least privilege because acrpush can Push image to the registry (and also pull them)

Stann07

My error, I did not see the requirement in the question for the user to be able to pull AND PUSH images to the registry. So the right answer is ACRPUSH