1# ACR Docker Credential Helper
2
3The ACR docker credential helper is an alternative to the existing file store based ACR helper
4located [here](https://github.com/Azure/acr-docker-credential-helper) which relies on `az` command
5line and is not optimised for use in CI environments. Primary use case for this helper is for use
6with kaniko and other tools running in CI scenarios wishing to push to Azure Container Registry
7
8## How it works
9
10The credential helper sources its configuration from well-known Azure environmental information.
11It attempts to authenticate firstly via client credentials grant if the following environment config is present
12
13```
14AZURE_CLIENT_ID=<clientID>
15AZURE_CLIENT_SECRET=<clientSecret>
16AZURE_TENANT_ID=<tenantId>
17```
18
19If the details needed for the client credential grant are not set it will try to
20find a [federated OIDC JWT](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0)
21in the enviroment. To use this set the following values in the enviroment.
22
23```
24AZURE_CLIENT_ID=<clientID>
25AZURE_FEDERATED_TOKEN=<federatedJWT>
26AZURE_TENANT_ID=<tenantId>
27```
28
29If you use federated OIDC with [Azure Workload Identity](https://github.com/Azure/azure-workload-identity) you don't
30have to set any ENVs as they will get injected automatically.
31
32If the above are not set then authentication falls back to managed service identities and the MSI endpoint is
33attempted to be contacted which will work in various Azure contexts such as App Service and Azure Kubernetes Service
34where the MSI endpoint will authenticate the MSI context the service is running under.
View as plain text