In this article, i am going to walk through how to create an Azure container registry using the Azure CLI. I will also show you how to grant permission for your AKS cluster to connect to the ACR.
Create the ACR
First make sure you are logged in to Azure using az login and select the subscription you want to create the ACR in.
Now that you are logged in its time to start the creation. So ACR like every other resource needs to reside in a Resource Group. You can use the following command to create one.
1 |
az group create --name pixelrobots-acr-rg --location ukwest |

Now that you have a Resource Group you can use the following command to create the ACR.
1 |
az acr create --resource-group pixelrobots-acr-rg --name pixelrobotsacr --sku basic |
The name for your ACR must be unique within Azure and contain 5-50 alphanumeric characters.

That’s your ACR created. Now to login.
A little note about the different SKU’s. There are 3 different ones Basic, Standard and Premium.
Below is a table that details the features and limits.
Resource | Basic | Standard | Premium |
Storage | 10 GiB | 100 GiB | 500 GiB |
Max image layer size | 20 GiB | 20 GiB | 50 GiB |
ReadOps per minute | 1,000 | 3,000 | 10,000 |
WriteOps per minute | 100 | 500 | 2,000 |
Download bandwidth MBps | 30 | 60 | 100 |
Upload bandwidth MBps | 10 | 20 | 50 |
Webhooks | 2 | 10 | 100 |
Geo-replication | N/A | N/A | Supported |
Content trust (preview) | N/A | N/A | Supported |
From <https://docs.microsoft.com/en-us/azure/container-registry/container-registry-skus>
You can switch between SKU’s by using the following command.
1 |
az acr update --name pixelrobotsacr --sku Premium |

Let’s log in to the ACR
To log in use the following command. Just make sure to change the name to your ACR.
1 |
az acr login --name pixelrobotsacr |

To be able to push your container images to your new ACR you need to make sure you tag them correctly.
Time to Tag
For this bit, I am going to assume you have a docker image on your local machine. To view your docker image you can use the command docker images

So to actually use your ACR the images you want to push to it need to be tagged with the login server address of your ACR. This tag is what is used to rote the container image to the correct registry.
To find the login server address use the following command.
1 |
az acr list --resource-group pixelrobots-acr-rg --query "[].{acrLoginServer:loginServer}" --output table |

Now that you have the login server address you can tag you docker images using it. To do this use the docker tag command.
1 |
docker tag pixelweb:v1 pixelrobotsacr.azurecr.io/pixelweb:v1 |
To check that the tagging has worked just run docker images again.

Push to the ACR
To do this we use the docker push command. Just make sure you change the ARC login server and image to match yours.
1 2 |
docker push pixelrobotsacr.azurecr.io/pixelweb:v1 |
Depending on the size of the image and your internet connection it could take some time to upload.

List images in the ACR
This ones a nice easy command.
1 |
az acr repository list --name pixelrobotsacr --output table |

If you want to see what tags are available for a certain container you can use the following command.
1 |
az acr repository show-tags --name pixelrobotsacr --repository pixelweb --output table |

OK great you have your ACR created and a docker image pushed to it. Now lets allow AKS access to it.
Allow AKS access to ACR
When you created your AKS cluster you would have created a service principal. To give AKS access to ACR we are going to use this for authentication. The below script will create an Azure AD role assignment that grants the service principle access to the ACR. Just change the variables at the top to match your setup.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
AKS_RESOURCE_GROUP=myAKSResourceGroup AKS_CLUSTER_NAME=myAKSCluster ACR_RESOURCE_GROUP=myACRResourceGroup ACR_NAME=myACRRegistry # Get the id of the service principal configured for AKS CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv) # Get the ACR registry resource id ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv) # Create role assignment az role assignment create --assignee $CLIENT_ID --role acrpull --scope $ACR_ID |

And there you have it you can now deploy containers from your Azure Container Registry. If you have any questions please reach out.
4 Comments
Peter K · March 19, 2019 at 2:13 pm
Great post! Not the first time I’ve been visiting it for help.
Edward Pius · May 5, 2019 at 4:52 am
Hello Richard,
I have configured an ACR in a different subscription. My intention is to create one K8S cluster per subscription. We want to have different subscriptions per environment (dev/uat/stage/prod). The ACR will live on a “shared” subscription. So, in this case, I am guessing that I have to create a service principal which has access to all the required subscriptions?
Before reading this article, I was creating a K8S secret with the ACR information to access the images per subscription/namespace. If this can be done using across multiple subscriptions, that would be really nice.
Thanks,
Edward
Edward Pius · May 5, 2019 at 4:56 am
Hello Richard,
I have configured an ACR in a different subscription. My intention is to create one K8S cluster per subscription. We want to have different subscriptions per environment (dev/uat/stage/prod). The ACR will live on a “shared” subscription. So, in this case, I am guessing that I have to create a service principal which has access to all the required subscriptions?
Before reading this article, I was creating a K8S secret with the ACR information to access the images per subscription/namespace. If this can be done using across multiple subscriptions, that would be really nice.
Thanks,
Edward
Pixel Robots. · May 5, 2019 at 8:38 am
Hello, As long as your subscriptions are under the same tenant, then yes create a Service Principal that is scopes to all your subscriptions.