What This Skill Does
The Azure Container Registry Python skill enables AI agents to manage container images, artifacts, and repositories programmatically within Azure's container registry service. This skill provides comprehensive control over Docker images and OCI-compliant artifacts stored in Azure, from listing repositories and tags to downloading layers and cleaning up old images.
Built on Azure's enterprise container registry platform, this skill handles all aspects of registry management without requiring Docker CLI tools or manual portal interactions. Agents can audit image inventories, implement retention policies, protect production images from deletion, and maintain registry hygiene through automated cleanup workflows.
Whether you're building CI/CD pipelines, implementing security scanning workflows, managing multi-environment deployments, or maintaining registry storage efficiency, this skill provides the programmatic interface to interact with your container artifacts at scale. It supports both synchronous operations for scripting and async patterns for high-throughput automation.
Getting Started
You'll need an Azure Container Registry resource before using this skill. The registry provides a unique endpoint URL that identifies your registry instance. Authentication uses Azure's identity system through DefaultAzureCredential, which automatically discovers credentials from your environment whether running locally, in Azure, or in CI/CD pipelines.
Install the azure-containerregistry package via pip to access the registry client. The client connects to your registry endpoint and authenticates using your chosen credential provider. For development, you might use Azure CLI credentials, while production deployments typically use managed identities.
The skill supports anonymous access for public registries like Microsoft Container Registry, enabling read-only operations without authentication. This works well for discovering publicly available images or integrating with community container repositories.
Environment variables store your registry endpoint, keeping configuration separate from code. This pattern enables the same code to work across development, staging, and production registries by simply changing environment configuration.
Key Features
Repository Management — List all repositories in your registry, retrieve metadata about specific repositories including creation dates and artifact counts, and delete entire repositories when they're no longer needed. Update repository properties to control deletion and write permissions, protecting critical images from accidental modifications.
Tag Operations — Enumerate tags within repositories, optionally ordering by creation or update date to find the newest or oldest versions. Retrieve detailed tag metadata including the manifest digest it points to and timestamps. Delete obsolete tags to clean up old versions while preserving the underlying manifest if other tags reference it.
Manifest Control — List manifests within repositories to see all versions regardless of tags. Retrieve manifest properties including architecture, operating system, size, and associated tags. Delete manifests by digest to remove specific image versions, or update manifest properties to lock production images against deletion.
Artifact Download — Download manifest content directly to inspect image configuration and layer references. Download blob layers to perform offline analysis, security scanning, or custom processing. These operations enable sophisticated workflows beyond simple push-pull cycles.
Retention Automation — Implement automated cleanup policies by filtering manifests based on age, tag presence, or custom criteria. Remove untagged manifests created during build processes, delete images older than your retention window, or archive layers before removal for compliance requirements.
Usage Examples
Listing repositories provides inventory visibility across your entire registry. Iterate through repository names to discover what images exist, potentially filtering or processing based on naming conventions or organizational patterns. This forms the foundation for audit reports and compliance checks.
Retrieving repository properties reveals detailed metadata like manifest counts and update timestamps. Use this information to identify active versus dormant repositories, calculate storage utilization, or trigger notifications when repositories exceed expected artifact counts.
Tag enumeration within repositories shows version history and deployment states. Order tags by last updated date to find the most recent builds, or filter for specific version patterns. Delete old tags as part of retention policies while preserving recent versions.
Manifest operations provide control at the individual image version level. Get manifest properties to inspect architecture compatibility, operating system requirements, and storage size. Lock production manifests to prevent accidental deletion while allowing development manifests to remain mutable.
Cleanup workflows combine listing and deletion operations to maintain registry hygiene. Query manifests created before a cutoff date, filter for those without tags (orphaned during builds), and delete them to reclaim storage. This prevents registries from growing unbounded over time.
Best Practices
Always use Azure Entra ID authentication in production rather than registry admin credentials. Entra ID supports managed identities, role-based access control, and audit logging. Admin credentials provide unrestricted access and create security management challenges at scale.
Delete manifests by digest rather than by tag when implementing cleanup logic. Deleting a tag removes only the name reference while leaving the manifest and layers intact. Deleting the manifest actually removes the artifact, but ensure no other tags reference it first to avoid breaking active deployments.
Lock production images by setting can_delete to False on critical manifests. This prevents accidental deletion of images that power live services. Implement governance policies that require manual unlock procedures before production images can be removed.
Clean up untagged manifests regularly to prevent storage bloat. Container build processes often create intermediate manifests that never receive tags. Query for manifests with empty tag lists and delete those older than your build retention window to reclaim significant storage.
Use the async client for operations processing many repositories or manifests. Async patterns enable concurrent operations that dramatically reduce wall-clock time when working at scale. This matters when implementing registry-wide cleanup or audit workflows.
Order results by last_updated_on when looking for recent changes or old artifacts. Descending order shows newest first, helping identify recent pushes or active repositories. Ascending order reveals the oldest artifacts, enabling age-based retention policies.
Check manifest tag lists before deletion to avoid removing actively referenced images. A manifest with tags likely powers deployments or serves as a promoted version. Only delete manifests with empty tag lists or implement tag cleanup before manifest deletion.
When to Use This Skill
Use this skill when your agent needs to manage container registries programmatically. CI/CD pipelines that push images during builds can use this skill to tag versions, clean up build artifacts, or promote images between environments. Automated processes benefit from programmatic control rather than manual portal interactions.
Security scanning workflows download manifests and layers for analysis, extract vulnerability information, and potentially lock or delete non-compliant images. This skill enables the registry interaction portions of comprehensive security automation.
Multi-environment deployment strategies often require image promotion workflows. Pull images from development registries, retag for production environments, and update image locks to reflect deployment status. These workflows combine downloading, tagging, and property updates.
Storage optimization requires identifying and removing unused images. Generate reports of repository size, implement retention policies that delete old versions, and maintain registries within storage quotas. This skill provides the data access and deletion operations needed.
When NOT to Use This Skill
Avoid this skill for actual container image builds. Use Docker CLI, buildah, or container build services to create images from Dockerfiles. This skill manages existing images in registries but doesn't compile code or create new images from source.
Don't use this skill as your primary image distribution mechanism for deployments. Container orchestrators like Kubernetes and container runtimes pull images directly from registries. This skill manages registry metadata and lifecycle, not runtime image delivery.
Skip this skill for simple tag-based deployments in orchestrators. If your deployment system references images by tag and registries contain those tags, you don't need programmatic registry management. Use this skill when automation needs to understand or modify registry state.
Avoid this skill for registries you don't control. Public third-party registries like Docker Hub require their own APIs and authentication. This skill specifically targets Azure Container Registry, though anonymous mode works with any OCI-compliant registry supporting the Distribution API.
Related Skills
Explore azure-storage-blob-py for managing container layer storage backing Azure Container Registry. Understanding blob storage helps optimize registry storage costs.
Check azure-identity-py for authentication patterns that work with Container Registry, especially managed identities and credential chaining for different deployment environments.
Consider azure-devops-py for integrating registry management into CI/CD workflows, coordinating image builds with registry cleanup and promotion.
Source
Provider: Microsoft
Category: Cloud & Azure
Package: azure-containerregistry
Official Documentation: Azure Container Registry SDK for Python