Pull ACR Images Without Passwords via Passwordless Auth - Container Registry

The passwordless component automates credential injection for pulling container images from ACR, eliminating the need to configure imagePullSecrets in every workload.

How it works

Without the passwordless component, ACK clusters must authenticate each image pull with a username and password. The typical workaround—storing credentials in a Kubernetes Secret—has real drawbacks: Secrets are Base64-encoded plaintext (not encrypted), must be manually added to each workload, and cannot be shared across namespaces.

The passwordless component solves this by acting as a credential broker: it obtains temporary credentials from the ACR instance, stores them in a Secret, and associates that Secret with the service accounts in its configuration. Workloads using those service accounts automatically pull images using the temporary credentials—no imagePullSecrets required.

The component manages service accounts across multiple namespaces simultaneously and automatically refreshes credentials on a configurable schedule, reducing the risk of credential leakage. The component is provided at no additional cost.

Choose an edition

ACK provides the aliyun-acr-credential-helper component in two editions. Only one edition can be installed at a time.

	Managed edition	Self-managed edition
Supported clusters	ACK managed, ACK serverless, and ACK Edge clusters running Kubernetes 1.22 or later	ACK managed and ACK dedicated clusters running Kubernetes 1.20 or later
Key features	No self-management required; supports cross-account image pulls using RAM Roles for Service Accounts (RRSA)	Supports querying component logs; supports cross-account image pulls using a worker RAM role, RRSA, or an AccessKey pair

To upgrade a cluster, see Manually upgrade a cluster.

Important

The passwordless component supports only ACR Enterprise Edition instances and ACR Personal Edition instances created on or before September 8, 2024. If you are using a Personal Edition instance created on or after September 9, 2024, use imagePullSecrets instead. See How do I use imagePullSecrets?

Prerequisites

Before you begin, ensure that you have:

A cluster version supported by the passwordless component (see the table above)
An ACR Enterprise Edition instance
Permissions granted to the RAM role used by the passwordless component
Network connectivity between the ACR instance and the ACK cluster (see below)

Configure network connectivity

Before pulling an image, make sure the ACR Enterprise Edition instance and the ACK cluster can communicate and that domain names resolve correctly. The following options are available for same-account image pulls:

VPC access (same region): If the ACR instance and the ACK cluster are in the same region, the cluster can access ACR through a VPC. See Network access control.
VPC peering connection (cross-VPC): If the ACR instance and the ACK cluster are in different VPCs, create a VPC peering connection to link them. VPC peering is free for same-region VPCs and charged for cross-region VPCs (see Billing). The CIDR blocks of the two VPCs must not overlap. To set up a VPC peering connection:
VPC peering connection procedure
1. Attach a VPC to the ACR instance for internal endpoint resolution
2. Get the domain names and IP addresses of the ACR instance
3. Create the VPC peering connection and configure route tables
4. Configure DNS resolution so the ACR domain name resolves to its internal IP address in the ACK cluster, using internal DNS resolution or a node pool custom data script to modify /etc/hosts in batches.
Internet: If both the ACR instance and the ACK cluster have internet access, images can be transferred over the internet. See Configure public access control and Enable internet access for a cluster.

Use the managed edition

Step 1: Install the component

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, click Add-ons.
On the Add-ons page, click the Security tab. Find the aliyun-acr-credential-helper (Managed) card and click Install.

On the Install aliyun-acr-credential-helper page, review the AcrInstanceInfo configuration and other options. AcrInstanceInfo holds the configuration for each ACR instance associated with the component. If you do not need to change the monitored namespaces or service accounts, keep the default settings.

After installation, update the configuration at any time by clicking Configuration on the aliyun-acr-credential-helper (Managed) card on the Add-ons page.

AcrInstanceInfo parameters:

Parameter	Description
InstanceId	The ACR instance ID, available in the Container Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry console. Leave blank for a Personal Edition instance; required for an Enterprise Edition instance.
regionId	The region ID of the ACR instance, available in the Container Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry consoleContainer Registry console. Required for cross-region image pulls.
domains	The domain names the component uses to access the ACR instance. Defaults to all domain names (public and VPC) of the specified instance. Separate multiple values with commas (,).
assumeRoleARN	For cross-account pulls only. Leave blank for same-account pulls. See Pull images across accounts.
expireDuration	Cross-account configuration. Leave blank for same-account pulls.
rrsaRoleARN	Cross-account configuration. Leave blank for same-account pulls.
rrsaOIDCProviderRoleARN	Cross-account configuration. Leave blank for same-account pulls.

Component settings:

Setting	Default	Description
Enable RRSA	Off	Enable to support cross-account image pulls. Not required for same-account pulls.
watchNamespace	`default`	The namespaces to monitor for passwordless image pulls. Use `all` for all namespaces, or specify multiple namespaces separated by commas (,). Avoid `all` or system component namespaces to prevent issues with system image pulls.
serviceAccount	`Default`	The service accounts the component applies to. `Default` targets the default service account in all specified namespaces; `*` targets all service accounts. Separate multiple values with commas (,).
expiringThreshold	`15m`	How early before credential expiration the component refreshes them.
notifyEmail	—	No configuration required.

Step 2: Pull an image

After installing the component, specify a service account associated with it when creating a workload. The component automatically injects the credentials—no imagePullSecrets field needed.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a service account associated with the passwordless component.
      containers:
      - name: nginx
        image: "******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest" # Specify the ACR image address.
        ports:
        - containerPort: 80

To verify the component is working, run the following command and confirm that the imagePullSecrets field on the service account is populated:

kubectl describe serviceaccount <your-service-account> -n <your-namespace>

Use the self-managed edition

Step 1: Install the component

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, click Add-ons.
On the Add-ons page, click the Security tab. Find aliyun-acr-credential-helper and click Install.

On the Parameter Settings page, select a permission mode from the tokenMode drop-down list and click OK. After installation, configure the component before pulling images. See Step 2: Add an ACR instance to the component. When using workerRole, grant the following permissions to the worker RAM role. See Grant permissions to a RAM role for instructions.

tokenMode	Description
auto (recommended)	Detects the cluster creation date and picks the permission mode automatically. Clusters created before April 3, 2023 use `workerRole`; clusters created on or after that date use `managedRole`.
managedRole	Uses the `AliyunCSManagedAcrRole` role granted in the Prerequisites section.
workerRole	Uses the cluster's worker RAM role. Grant the required permissions to the worker RAM role before using this mode. Select this mode for cross-account image pulls via role assumption.

Select workerRole as the component mode

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cr:GetAuthorizationToken",
        "cr:ListInstanceEndpoint",
        "cr:PullRepository"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Step 2: Add an ACR instance to the component

After installing the component, configure the acr-configuration ConfigMap to add an ACR instance. Use the console or kubectl.

Console

On the Clusters page, click the target cluster name. In the left-side navigation pane, choose Configurations > ConfigMaps.

On the ConfigMaps page, select kube-system from the Namespace drop-down list. Click the acr-configuration ConfigMap and update the fields described below. Cross-region configuration example: When using multiple ACR instances in different regions, specify the ID and region for each instance.

Key	Default	Description
watch-namespace	`default`	The namespaces to monitor for passwordless image pulls. Use `all` for all namespaces. Separate multiple values with commas (,). Avoid `all` or system namespaces to prevent issues with system image pulls.
acr-api-version	—	Keep the default value.
expiring-threshold	`15m`	How early before credential expiration the component refreshes them.
acr-registry-info	—	An array of instance configurations in multi-line YAML format. Each entry includes: `instanceId` (leave blank for Personal Edition, required for Enterprise Edition), `regionId` (defaults to the local region; required for cross-region pulls), and `domains` (defaults to all domain names; separate multiple values with commas).
service-account	`default`	The service accounts the component applies to. Use `"*"` for all service accounts in the specified namespaces. Separate multiple values with commas (,).

Configuration example for cross-region pulls

data:
  service-account: "default"
  watch-namespace: "all"
  expiring-threshold: "15m"
  notify-email: "c*@aliyuncs.com"
  acr-registry-info: |
    - instanceId: "cri-instanceId"
      regionId: "cn-beijing"
    - instanceId: "cri-instanceId"
      regionId: "cn-hangzhou"

kubectl

Edit acr-configuration directly:

Key	Default	Description
`service-account`	`default`	Service accounts the component applies to. Use `"*"` for all service accounts. Separate multiple values with commas.
`acr-registry-info`	—	Array of instance configurations in multi-line YAML format. Each entry includes `instanceId` (required for Enterprise Edition), `regionId` (optional; defaults to local region), and `domains` (optional; defaults to all domain names).
`watch-namespace`	`default`	Namespaces to monitor. Use `all` for all namespaces. Avoid system namespaces.
`expiring-threshold`	`15m`	How early before expiration the component refreshes credentials.

kubectl edit cm acr-configuration -n kube-system

Enterprise Edition configuration example:

- instanceId: <cri-instanceId>
  regionId: "cn-hangzhou"
  domains: "xxx.com,yyy.com"

Step 3: Pull an image

After configuring the component, specify a service account associated with it when creating a workload.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a service account associated with the passwordless component.
      containers:
      - name: nginx
        image: "******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest" # Specify the ACR image address.
        ports:
        - containerPort: 80

To verify the component is working, run the following command and confirm that imagePullSecrets is populated on the service account:

kubectl describe serviceaccount <your-service-account> -n <your-namespace>

FAQ

How do I enable immediate Secret injection for newly created service accounts?

Important

This feature requires aliyun-acr-credential-helper v23.02.06.1-74e2172-aliyun or later.

When enabled, the passwordless component uses a webhook to detect new service accounts and inject the Secret the moment they are created. This is useful when a Helm Chart creates a service account and a Deployment simultaneously—without immediate injection, the Deployment may start before credentials are available.

Because the webhook adds overhead to every service account creation, only enable this feature if your workflow requires it.

Managed component

Install the acr-credential-helper-webhook (Managed) component:

On the ACK Clusters page, click the target cluster name. In the left-side navigation pane, click Add-ons.
On the Add-ons page, click the Security tab. Find the acr-credential-helper-webhook (Managed) card and click Install.

Self-managed component

Add the following fields to the acr-configuration ConfigMap:

data:
  webhook-configuration: |
    enable: true
    failure-policy: Ignore
    timeout-seconds: 10

Field	Description
`enable`	Set to `true` to enable the webhook.
`failure-policy`	What happens if the webhook encounters an error during service account creation. `Ignore` creates the service account normally (the Secret may not be attached). `Fail` blocks service account creation on error—not recommended, as it can cause deployment failures.
`timeout-seconds`	Timeout for each service account creation request. Defaults to `10` seconds. If exceeded, the system responds according to `failure-policy`.

Important

If timeout-seconds is 15, failure-policy is Fail, and 10 service accounts are created per second continuously, service account creation may fail due to API Server limitations.

Why does the image pull still fail after configuring the passwordless component?

The most common cause is a configuration mismatch. Check the following:

The instance information in the component (instance ID, region, domains) matches the ACR instance.
The image address used in the workload matches a domain name configured in the component.

If the configuration looks correct, check whether the workload YAML has an imagePullSecrets field set manually. The passwordless component cannot coexist with a manually specified imagePullSecrets. Delete the imagePullSecrets field from the workload, then delete and recreate the Pod.

How do I use imagePullSecrets?

ACR Personal Edition instances created on or after September 9, 2024 do not support the passwordless component. For these instances, store the registry credentials in a Secret and reference it in imagePullSecrets.

Important

The passwordless component and a manually specified imagePullSecrets field cannot be used at the same time. The Secret must be in the same namespace as the workload.

Example of using imagePullSecrets

Create a Secret from your registry credentials:

kubectl create secret docker-registry image-secret-1 \
  --docker-server=<registry-server> \
  --docker-username=<name> \
  --docker-password=<password> \
  --docker-email=<email>

Reference the Secret in your workload:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-test
  namespace: default
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      imagePullSecrets:
      - name: image-secret-1  # Use the Secret created in the previous step.
      containers:
      - name: nginx
        image: <acrID>.cr.aliyuncs.com/<repo>/nginx:latest  # Replace with the ACR image address.

Container Registry:Use the passwordless component to pull images from an ACR Enterprise Edition instance within the same account

How it works

Choose an edition

Prerequisites

Use the managed edition

Step 1: Install the component

Step 2: Pull an image

Use the self-managed edition

Step 1: Install the component

Step 2: Add an ACR instance to the component

Console

kubectl

Step 3: Pull an image

FAQ

How do I enable immediate Secret injection for newly created service accounts?

Managed component

Self-managed component

Why does the image pull still fail after configuring the passwordless component?

How do I use imagePullSecrets?

What's next