Azure Container Registry RBAC Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 33 minutes
Video Transcription
Hello, Siberians. Welcome to this demonstration on as your container registry Outback does Demonstration is part of the six month do off. The is that 500 Microsoft Azure Security technologies costs quick information on the test that will be completing in this demo. We'll start by installing the tools that are needed for the tasks.
Wouldn't create a continent registry Instance. After that will configure How back for the instance
on would then go Tran authentication process on Also push an image to the registry. Let's get right into this. So the first test that are between is RB installing the Perak receipts that I needed for the tasks.
Yes, a visual representation of what are between how need both azure sea ally and darker to be installed on the endpoints that I'll be using for the tasks. Arana, Balto 18 04 vm that have deployed in Hajer and I'll be installing azure sea allies in this command on installing DACA using the app installer.
So here I am in the azure Pato,
you can see the bullet veteran machine that I have deployed in Hajer, so I have also connected to do a bunch of veteran machines using SS age. So what are we? Dean, is how we very fine that the tools are not yet in stopped. If I do block
and you can see that doctor is not found also, if I do a Zad vision, you can see that that's not found also have been started. I just see a lie is in the commander you can see on the screen I will also be had in supplemental links that you can follow to install. But as you see a lie and Ducat So why don't press enter to these
andare Godfrey process off installing
I just see a lie on this VM
So I took a few minutes to complete its completed now So what? Always outplay the screen
and I will use the app installer to Griet and install DACA which would be the next thing that I'll be Dean.
So to install DACA I'll go ahead and run this command here so have installed Doc Ohio on our guide and press enter to That's
so dark has not been installed on this VM also So what are those? Are clear the screen again on our verify years in a said
freshen is the address Eli installed Andre can sedate, installed on if I repeat the Commander Ivan earlier for DACA version, and that should give me the result off division of the Docker engine that's installed on this via so we're good.
So in the next task, how be creating on as your content of registry instance on its official representation of what are between? I'll be creating another container registry instance. And to do that, our first of all needs to create a research group isn't this command. Is that good? Create?
And after that, I'll be creating a standard steer A. See how using this command is that is, er cricket.
So let's go ahead and do that. So here I am, back in the azure Pato Right now I'm logged in as a user called David was been assigned the honor roll off this description. So what I'll do is I'll be bringing up cloud shelves if I cried and click on Cloud Shell logged in as David
Cloud Shell has now fully opened. Now just be attention. That's the first time that you open cloud shell. You'll be prompted to create a storage account so because this is not my first time. I did not receive that front. But if it is your first time off opening cloud show you pervasive in that forms, just simply click on the option to create storage. How does expands this to have a bit more space?
So let's go ahead and run our commands to create to research group. So I'll right click on Outpaced the command. That's is that group create. Are we creating every sub group called See how I feel? How g in UK Self. So if I grabbed on press enter to that
so that's created my research group. Let's clear the screen
on the next command. Are we creating on SCR instance using the
Is that a C out Create command and I'll be calling my a C How shipper clouds a. C. Hauser. One. Remember, the name has to be globally unique if I go ahead and press enter to that,
and that's finished creating my content of registry. Instance. So in the next task are become for green role based access control for the registry instance that I created
on the air is a visual representation of what are between. I'll use the Ouija Pato toe assign to rose to a user called Brenda
on I'll Be a signing David Arroyo to Brenda, which would give a read access to the management plane off the registry
and also permission to pull images. But Hearts are assigned the CR Push Road to Brenda and that will give her permission to push images to the registry.
So here I am, back in the azure Pato. If I go, I'd and click on resource groups
on I Have My A C L Algerie Surgical that I created earlier, using the command for guidance. Let's that I can see my content of registry. Instance this are Go ahead and click on that option
on Is My Continent registry.
Now, to a sign forbids access control. I'll go under access control on the left on the pain,
outcry it and click on Hard on. I'll click on Hardball assignment,
now devoted. I'll be assigning the Foster will be, the reader wrote. So if I go ahead and select reader on, I'll be assigning Devote so the user called Rangers are great and select Brenda and upgrading Click on Safe,
and that's gonna sign the foster daughter Brenda.
Now, while it's doing that, I can go ahead and click on hard again and I'll click on hardball assignments.
But this time around I'll be assigning the essay How Push wrote to Brenda, which would give her permission to push images to this content of registry.
If I grant and select, Brenda and I go ahead and click on Save and once that fully assigned, and both of them are fully assigned now, now Brenda has been assigned bought off this rules, frankly, Carnival assignment. I should be able to verify that
in the final task off this demonstration. Have very fine robes, access control by authenticating as Brenda and pushing a continent image to a repository in my a C. R. Instance.
So here's a fish representation off. What are we, Dean?
The first bailout does is to pull down the continent you made from the public Dakar Harbour Registry.
How then authenticates toe azure and a CEO is in the air that logging on the is that a CR lugging commands how they talked, the image that I downloaded that I want to push to the registry with the log in several information off my registry
I'll be obtaining this information from the azure portal in the demonstration, but we can also obtain. It's using azure cli and even as a partial
after that, I'll push my continent image. The registry is in the dock, a push command. So I'm back on my Linux system now. So this fine art as could be done on the system that I prepared earlier. So why didn't clear the screen?
The force commander? That one is DACA images,
and you can see that there's currently no image in the local cash.
So are we running this next command toe? Pull down on image from the Dakar HAB public registry? And this is going to be pulling down division off the dot net call image,
my great aunt first enter to That's now that's completed. So the next thing that I will do is our authenticates toe azure using A said luggage. If I go ahead and type is at Le Guin on my press, enter to that. So what I'll do is I'll go ahead and copy that you are. I'll bring up a different private browser tab
because I did not want to use David's
authentication talking. I want authenticators Brenda.
So if I go ahead and bring up a different browser tap on, I put that address in there
and I'll go ahead and put in the codes that I've been permitted to put in there. So if I great and copy that code
and I put that called in and a click next
so I'm gonna be prompted toward indicates our indicators. Brenda. Have a great and click next. That's our great and enter Brenda's past. What
on it says I've signed in to the common line. Inter fish. If I go back to my Linux VM, you can see that I'm now signed in as Brenda,
so that's good.
So the next thing that I would be doing this I'll be authenticating to my a C l incense.
Let's clear the screen
on our grade and peace discriminate. So is that a CR lugging? So as I mentioned earlier disc Amanda is going to use the token that's been cashed from Is that log in? It's going to use that to seamlessly log me in, authenticate me to this registry instance of a great and run that
now you can see lugging succeed it so That's good. So now I'm not going to get that sort of registry.
So the next day that are beating in its I'll be tagging the image that I downloaded are tagging that with the log in seven. Address off my content of registry.
And here's what RB deans. If I go ahead and type DACA images,
I can see the doctor image that I don't know that I want to talk that with my a c l address instead, off this address here
on defy guide and do a Dhaka
I'll specify the
image that I want a Taxify great and copy. That's
Andi. Our also be specifying the
tag for the image
that I want to tax. If a great in A specified that.
Now I mentioned I'm gonna be talking that wheat the address off my instance to do that if I go back to a see how, if I goto under overview
and I can see the log in several information here, if I go ahead and copy that logging survey information
on, I paced the address.
Now, what I'll do is I'll just copy these information here. So now what I'm doing is I'm Tagen this image. I'm Tagen eight with the logon server information off my A C. R. Instance. And I'm also specifying the repository that I want to start this image. So if I go ahead and press enter to that, it is a stark, this image locally.
So if I run docker images again,
I can see that's now. I have two instances off this image. You can see that they have the same image I d. On the same size, however, they have different registry tax.
So in the final task, I will simply be pushing this image to my content of registry.
So to do that I'll be is in Dhaka push
the name off the image. Would the registry attack?
And also we attack that I want to use. So I just used the same tack. That's fine
on If I guide and press enter to that now it's beginning to push this image into my content of registry.
On it says it successfully pushed his image. If I go back to the other problem,
if I go to on the repositories in my scr instance,
you can see I have dot nets for slash car four slash one time and frankly, conducts. He can see the tag, and that's my image Rights day.
So everything looks good.
He has some supplemental links to install. I just see a lie entering store. Daka have also added a link to review the azure container registry authentication options. He has a somebody off the test. Are we completed? In this demonstration, we started right install in the JRC Ally Client and also the Docker engine on a bunch of virtual machine
we created on a CR instance, using a juicy ally.
We conflict Robe is access control for user called Brenda on the content of registry. And finally, we authenticate that to the registry is in Brenda's authentication information on. We pushed on Image into the registry. Thanks very much for watching, and I'll see you in the next lesson.
Up Next