Skip to main content
Back to the Azure Footguns Database
SecurityMediumOccasionalAZF-0068

Anonymous pull enabled: anyone on the internet can download your container images

With anonymous pull enabled, unauthenticated clients can download images from the registry. Images carry baked-in config, internal hostnames, and more often than anyone admits, credentials.

Footgun ID
AZF-0068 (Azure Footgun No. 68)
Azure service
Azure Container Registry
Resource type
Microsoft.ContainerRegistry/registries
Updated
July 9, 2026

What it is

An Azure Container Registry with anonymousPullEnabled set to true, which lets clients pull images with no authentication at all. It exists for a legitimate use case: distributing public images without forcing consumers to log in. The footgun is that the setting is registry-wide. The moment an internal image lands in a registry that also serves public ones, it is downloadable by anyone who can name its repository.

Impact (security)
Images downloadable by unauthenticated clients, including baked-in config, internal hostnames, and the occasional secret
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Anonymous pull is never on by accident at creation time: it's off by default and takes an explicit az acr update --anonymous-pull-enabled on a Standard or Premium registry. It gets switched on for sensible-sounding reasons, such as serving OSS artifacts to external users, unblocking a demo, or making cluster pulls "just work" without wiring up pull secrets.

The trap is what happens next. The flag doesn't distinguish public repositories from private ones, registries accumulate images from every team that finds them convenient, and the setting is invisible in daily use because authenticated pushes and pulls behave identically. Nobody re-decides the question when the tenth internal service starts pushing to a registry that was made anonymous for one public artifact a year ago.

It also can't be fenced in by network hardening alone: anonymous pull is a data-plane authorization setting, so wherever the endpoint is reachable from, that entire audience can pull without credentials.

What it costs / blast radius

The blast radius is everything your images contain, available to anyone who can reach the endpoint and name a repository. And repository names leak constantly: through CI logs, Kubernetes manifests, Helm charts, compose files, and plain guessable conventions like corpregistry.azurecr.io/api. An image is not just your compiled code. Layers routinely carry appsettings and .env files, internal hostnames and service topology, private package feeds referenced in build steps, and the occasional connection string someone baked in "temporarily." Anyone who pulls the image can un-layer it offline with standard tooling and read all of it. There's no per-pull identity, so you also lose any record of who took what. (Assessment of Azure behavior, not a measured incident statistic.)

See it

Footgun: registry-wide unauthenticated pull
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: 'corpregistry'
  location: location
  sku: { name: 'Standard' }        // anonymous pull exists on Standard/Premium
  properties: {
    anonymousPullEnabled: true     // no credentials needed to pull any repository
  }
}
Fix: require authentication for every pull; separate any truly public artifacts
resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
  name: 'corpregistry'
  location: location
  sku: { name: 'Standard' }
  properties: {
    anonymousPullEnabled: false    // pulls require an authenticated principal
  }
}
// Consumers authenticate with the AcrPull role via managed identity or a
// scoped token. If you genuinely distribute public images, put them in a
// dedicated registry so the anonymous flag never covers internal ones.

How StratoLens helps

StratoLens flags every registry that allows anonymous pull, across all your subscriptions, continuously and inside your own tenant. The registry someone opened up for a demo two teams ago stops being tribal knowledge and becomes a finding you can close before your internal images become public downloads.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.