Feature request: Improved security for Transfer Artifacts

[david-jarman]

What is the problem you're trying to solve
I want to be able to copy artifacts between ACRs in different tenants while using Azure security best practices, such as using private endpoints and Microsoft Entra authentication.

Describe the solution you'd like
The current approach for using storage account to transfer artifacts to an ACR is that you have to use SAS keys, which means shared access keys must be enabled on the storage account. In many organizations, this is not allowed and all auth must go through Microsoft Entra ID so that all access is auditable. Since ACRs can have managed identities, it seems reasonable that it could use that identity to access the storage account that contains the artifacts.

Private endpoints are currently not supported for the source storage account which is a blocker for security-minded organizations that block all public access and force traffic through private endpoints. Copying data between storage accounts that have private endpoints is allowed if the caller has access to both storage accounts. The same should be true for copying data from a storage account to an ACR. The client's source IP should be used to allow the ACR to talk to the storage account.

Summary: Use ACR managed identity to auth with storage account. Use the IP of the client requesting the transfer to allow traffic between ACR and storage account with private endpoints enabled.

Additional context
Add any other context or screenshots about the feature request here.

[terencet-dev]

Thanks, @david-jarman - thanks for sending in your feedback for a product feature request. Our team will review this and will provide updates whenever I get them. In the meantime, I am moving this to our backlog.