Store sensitive configuration data in an Azure Key Vault

Most of the times, Azure Container Registries are configured with IAM and you can be access the registries using Service Principals, thus allowing granular control with RBAC.

Services that connect to ACR to store the credentials in plain text, or other non-protected resources like application configuration (app.config, project.json, ...) or simply in Environment Variables (Configuration on an Azure App Service / Function App, etc).

Perform the following steps to migrate to Azure Key Vault:

1. Use Managed Identity to access the Key Vault

2. Reads the Service Principal credentials from the Secrets in the vault

3. Use these credentials to access the ACR

By putting the sensitive data inside of your Azure Key Vault, you can protect the credentials if it goes into a configuration repository that isn't inherently secured for sensitive data.