Azure Container Registry plugin for Backstage
The Azure Container Registry (ACR) plugin displays information about your container images available in the Azure Container Registry.
For administrators
Installing and configuring the ACR plugin
-
Run the following command to install the ACR plugin:
yarn workspace app add @backstage-community/plugin-acr
-
Set the proxy to the desired ACR server in the app-config.yaml
file as follows:
proxy:
endpoints:
'/acr/api':
target: 'https://mycontainerregistry.azurecr.io/acr/v1/'
credentials: require
changeOrigin: true
headers:
Authorization: 'Basic ${ACR_AUTH_TOKEN}'
secure: true
(Optional) Specify a Custom Registry Path to Support Multiple Registries
proxy:
endpoints:
'/acr/api':
target: 'https://mycontainerregistry.azurecr.io/acr/v1/'
credentials: require
changeOrigin: true
headers:
Authorization: 'Basic ${ACR_AUTH_TOKEN}'
secure: true
'/acr/custom/api/mysecondregistry':
target: 'https://mysecondregistry.azurecr.io/acr/v1/'
credentials: require
changeOrigin: true
headers:
Authorization: 'Basic ${SECOND_ACR_AUTH_TOKEN}'
secure: true
[!NOTE]
The value inside each route is either a simple URL string, or an object on the format accepted by http-proxy-middleware. Additionally, it has an optional credentials
key which can have the following values:
require
: Callers must provide Backstage user or service credentials with each request. The credentials are not forwarded to the proxy target. This is the default.
forward
: Callers must provide Backstage user or service credentials with each request, and those credentials are forwarded to the proxy target.
dangerously-allow-unauthenticated
: No Backstage credentials are required to access this proxy target. The target can still apply its own credentials checks, but the proxy will not help block non-Backstage-blessed callers. If you also add allowedHeaders: ['Authorization'] to an endpoint configuration, then the Backstage token (if provided) WILL be forwarded.
Note that if you have backend.auth.dangerouslyDisableDefaultAuthPolicy
set to true, the credentials value does not apply; the proxy will behave as if all endpoints were set to dangerously-allow-unauthenticated.
-
Set the authorization using one of the following options:
-
Enable an additional tab on the entity view page using the packages/app/src/components/catalog/EntityPage.tsx
file as follows:
import {
AcrImagesEntityContent,
isAcrAvailable,
} from '@backstage-community/plugin-acr';
const serviceEntityPage = (
<EntityLayout>
// ...
{/* highlight-add-start */}
<EntityLayout.Route if={isAcrAvailable} path="/acr" title="ACR images">
<AcrImagesEntityContent />
</EntityLayout.Route>
{/* highlight-add-end */}
</EntityLayout>
);
-
Annotate your entity using the following annotations:
metadata:
annotations:
'azure-container-registry/repository-name': `<REPOSITORY-NAME>',
(Optional) Specify a Custom Registry Path to Support Multiple Registries
metadata:
annotations:
'azure-container-registry/repository-name': `<REPOSITORY-NAME>',
'azure-container-registry/registry-name': `<REGISTRY-NAME>',
Use new frontend system
-
Install the frontend plugin:
yarn workspace app add @backstage-community/plugin-acr
-
Enable the plugin in your packages/app(-next)/src/App.tsx
:
After all other imports:
import acrPlugin from '@backstage-community/plugin-acr/alpha';
export const app = createApp({
features: [
catalogPlugin,
catalogImportPlugin,
userSettingsPlugin,
acrPlugin,
],
});
For users
Using the ACR plugin in Backstage
ACR is a front-end plugin that enables you to view information about the container images from your Azure Container Registry in Backstage.
Prerequisites
Procedure
-
Open your Backstage application and select a component from the Catalog page.
-
Go to the ACR tab.

The ACR tab in the Backstage UI contains a list of container images and related information, such as TAG, CREATED, LAST MODIFIED, and MANIFEST.