Solutions
Solutions
Snyk
Docs Library
Blog
Partners
Home
Snyk Academy
Getting Started with Snyk
Snyk Open Source
Snyk Container
Partner Workshops
Amazon Web Services
Atlassian
CircleCI
Docker
GitHub
Microsoft Azure
Getting started
Sign up for Snyk
Securing AKS with Snyk
Securing ACR with Snyk
Provision Azure services
Building container images
Configure the ACR integration
Scan ACR images
Interpret scan results
Fix issues
Securing Azure Repos with Snyk
Notifications in Microsoft Teams
Red Hat
SpringOne Workshop
Integration Guide
IDE plugin
Snyk Connector
Snyk Webhooks
Powered by GitBook

Configure the ACR integration

Create a service principal

It is recommended that you assign a service principal to your registry. Please review the Authenticate with an Azure container registry documentation for further information on this topic.

To simplify this process, you will find a sample bash script in the scripts/ directory of your cloned repo. From the terminal, let's make sure we are at the root of our cloned repository by typing pwd and verifying the result displays $HOME/snyk-azure-resources/.

Then, let's change directory by typing the following command:

cd scripts/

From here, a simple ls -a command will show the contents and you will see the create-acr-service-principal.sh script in that directory. You can open this in your favorite editor like Microsoft Visual Studio Code and review the contents.

These will look like this:

#!/bin/bash
​
# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=${1}
SERVICE_PRINCIPAL_NAME=acr-service-principal
​
# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
​
# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
​
# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"
echo "Service principal password: $SP_PASSWD"

To run the script simply invoke it from the present working directory and pass the ACR name, mysnykcontainerregistry as a parameter as follows:

./create-acr-service-principal.sh mysnykcontainerregistry

Upon successful completion, you will see results similar to the following:

Creating a role assignment under the scope of "/subscriptions/<guid>/resourceGroups/mySnykACRResourceGroup/providers/Microsoft.ContainerRegistry/registries/mySnykContainerRegistry"
  Retrying role assignment creation: 1/36
Service principal ID: <guid>
Service principal password: <guid>

Take note of the values for Service principal ID and Service principal password. You will need these to configure the integration in the following steps so DO NOT close or clear your terminal window.

Enable the integration

From the Snyk web console, navigate to Integrations. Search and select ACR. Click the tile.

Follow the steps outlined in the following diagram and provide the Service principal ID Service principal password and loginServer value for your ACR instance:

Remember to save your settings!

Previous
Building container images
Next
Scan ACR images
Last updated 1 year ago
Contents
Create a service principal
Enable the integration