Use ACR-scoped token for registry authentication

kukacz · kukacz · commit 68b8866be2d9 · 2026-02-26T17:10:04.000+01:00
The access token scope for Azure Container Registry was derived from cloud.ResourceManager, which resolves to the ARM endpoint (e.g. https://management.azure.com/.default\). This is an ARM-scoped token, not an ACR-scoped one. Microsoft recommends disabling ARM audience authentication on ACR registries for enhanced security and least-privilege compliance. When organizations follow this recommendation and disable authentication-as-arm, Flux's ARM-scoped tokens are rejected, causing unauthorized errors for workload identity users. Use azcontainerregistry.ServiceName audience instead, which resolves to https://containerregistry.azure.net/.default -- the correct ACR scope as documented by Microsoft: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-disable-authentication-as-arm Signed-off-by: Lukáš Kubín <lukas.kubin@gmail.com>
diff --git a/auth/azure/provider.go b/auth/azure/provider.go
@@ -150,7 +150,14 @@ func (p Provider) GetAccessTokenOptionsForArtifactRepository(artifactRepository
 	default:
 		conf = &cloud.AzurePublic
 	}
-	acrScope := conf.Services[cloud.ResourceManager].Endpoint + "/.default"
+
+	var acrScope string
+	if acrService, ok := conf.Services[azcontainerregistry.ServiceName]; ok {
+		acrScope = acrService.Audience + "/.default"
+	} else {
+		// Fallback for custom environments that don't define ACR service config.
+		acrScope = conf.Services[cloud.ResourceManager].Endpoint + "/.default"
+	}
 
 	return []auth.Option{auth.WithScopes(acrScope)}, nil
 }
diff --git a/auth/azure/provider_test.go b/auth/azure/provider_test.go
@@ -192,15 +192,15 @@ func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
 	}{
 		{
 			registry:      "foo.azurecr.io",
-			expectedScope: "https://management.azure.com/.default",
+			expectedScope: "https://containerregistry.azure.net/.default",
 		},
 		{
 			registry:      "foo.azurecr.cn",
-			expectedScope: "https://management.chinacloudapi.cn/.default",
+			expectedScope: "https://containerregistry.azure.net/.default",
 		},
 		{
 			registry:      "foo.azurecr.us",
-			expectedScope: "https://management.usgovcloudapi.net/.default",
+			expectedScope: "https://containerregistry.azure.net/.default",
 		},
 	} {
 		t.Run(tt.registry, func(t *testing.T) {
@@ -323,22 +323,22 @@ func TestProvider_GetAccessTokenOptionsForArtifactRepository(t *testing.T) {
 		{
 			name:               "Azure Public Cloud",
 			artifactRepository: "myregistry.azurecr.io",
-			expectedScope:      "https://management.azure.com/.default",
+			expectedScope:      "https://containerregistry.azure.net/.default",
 		},
 		{
 			name:               "Azure China Cloud",
 			artifactRepository: "myregistry.azurecr.cn",
-			expectedScope:      "https://management.chinacloudapi.cn/.default",
+			expectedScope:      "https://containerregistry.azure.net/.default",
 		},
 		{
 			name:               "Azure Government Cloud",
 			artifactRepository: "myregistry.azurecr.us",
-			expectedScope:      "https://management.usgovcloudapi.net/.default",
+			expectedScope:      "https://containerregistry.azure.net/.default",
 		},
 		{
 			name:               "Invalid registry",
 			artifactRepository: "myregistry.invalid.io",
-			expectedScope:      "https://management.azure.com/.default",
+			expectedScope:      "https://containerregistry.azure.net/.default",
 		},
 		{
 			name:               "Custom environment file",
