Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to manage access permissions on repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Background information

By default, an Alibaba Cloud account has full access permissions on the resources that belong to the account. You can use RAM and STS to grant different permissions on image resources to different RAM users and provide users with temporary access permissions. Before you configure authorization policies, read the RAM documentation.

System policy configuration

  • AliyunContainerRegistryFullAccess

    This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform all operations.

    {
      "Statement": [
        {
          "Action": "cr:*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        
  • AliyunContainerRegistryReadOnlyAccess

    This policy grants a RAM user the read-only permissions on all image resources. For example, the RAM user can view the repository list and pull images.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:Pull*"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }               

Policy configuration for typical scenarios

  • If the RAM user needs to call operations of the Container Registry API, you need to grant the RAM user the required permissions. For more information, see Authentication rules for Container Registry.
  • If the RAM user needs to use the Container Registry console, we recommend that you attach additional permission policies to the RAM user.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cr:ListInstance*",
                    "cr:GetInstance*"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cr:GetInstance*",
                    "cr:ListInstance*"
                ],
                "Resource": "acs:cr:$regionid:$accountid:instance/$instanceid"
            }
        ],
        "Version": "1"
    }
  • Assume that the RAM user needs to use the Container Registry console to manage a namespace of a Container Registry Enterprise Edition instance. We recommend that you attach additional permission policies to the RAM user.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cr:ListInstance*",
                    "cr:GetInstance*"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "cr:*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:cr:*:*:repository/$instanceid/$namespace/*",
                    "acs:cr:*:*:repository/$instanceid/$namespace"
                ]
            },
            {
                "Action": [
                    "cr:List*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:cr:*:*:repository/$instanceid/*",
                    "acs:cr:*:*:repository/$instanceid/*/*"
                ] 
            }
        ],
        "Version": "1"
    }

Instructions on RAM authorization

When you authorize a RAM user, pay attention to the following instructions to avoid granting excessive permissions to the RAM user.

Assume that you grant a RAM user the AdministratorAccess permission that contains management permissions on all Alibaba Cloud resources. The RAM user possesses all permissions on Container Registry, regardless of whether the RAM user is granted the permissions before.

Authentication rules for Container Registry

  • ARN format

    The following table describes the Alibaba Cloud Resource Name (ARN) format in an authorization policy when you use RAM to authorize access to resources.

    Resource ARN format in an authorization policy
    * acs:cr:$regionid:$accountid:*
    instance acs:cr:$regionid:$accountid:instance/$instanceid
    repository

    acs:cr:$regionid:$accountid:repository/$instanceid/*

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename

    chart

    acs:cr:$regionid:$accountid:chart/$instanceid/*

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname

    The following table describes the parameters in the ARN format.

    Parameter Description
    $regionid The ID of the region, which can be replaced by an asterisk (*).
    $accountid The ID of the Alibaba Cloud account, which can be replaced by an asterisk (*).
    $instanceid The ID of the Container Registry Enterprise Edition instance.
    $namespacename The name of the namespace.
    $repositoryname The name of the image repository.
    $chartnamespacename The name of the chart namespace.
    $chartrepositoryname The name of the chart repository.
  • Authorization rules

    When you access the Container Registry API as a RAM user or by using STS, Container Registry informs RAM to perform a permission check to make sure that the caller has the required permissions. The permissions to be checked are determined by the resources used by an API operation and the syntax of the API operation. The following table describes the authentication rules of API operations.

    API operation Authenticated action Authenticated resource
    GetAuthorizationToken cr:GetAuthorizationToken *
    GetChartNamespace cr:GetNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    GetChartRepository cr:GetRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    GetInstance cr:GetInstance acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceCount cr:ListInstance *
    GetInstanceEndpoint cr:GetInstanceEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceUsage cr:GetInstanceUsage acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceVpcEndpoint cr:GetInstanceVpcEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetNamespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    GetRepoBuildRecord cr:GetRepositoryBuildRecord acs:cr:$regionid:$accountid:repository/$instanceid
    GetRepoBuildRecordStatus cr:GetBuildRepositoryStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagLayers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagManifest cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagScanTask cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepository cr:GetRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListChartNamespace cr:ListNamespace acs:cr:$regionid:$accountid:chart/$instanceid/*
    ListChartRelease cr:ListChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    ListChartRepository cr:ListRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
    ListInstance cr:ListInstance *
    ListInstanceEndpoint cr:ListInstanceEndpoint acs:cr:$regionid:$accountid:repository/$instanceid
    ListNamespace cr:ListNamespace acs:cr:$regionid:$accountid:repository/$instanceid/*
    ListRepoBuildRecord cr:ListRepositoryBuild acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRecordLog cr:GetRepositoryBuildLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRule cr:ListRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncRule cr:ListSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTag cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTrigger cr:ListWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerLog cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerRecord cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepository cr:ListRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
    CancelRepoBuildRecord cr:CancelBuildRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateBuildRecordByRule cr:BuildRepositoryByRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateChartNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    CreateInstanceEndpointAclPolicy cr:CreateInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    CreateInstanceVpcEndpointLinkedVpc cr:CreateInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    CreateNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    CreateRepoBuildRule cr:CreateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncRule cr:CreateSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncTaskByRule cr:CreateRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoTrigger cr:CreateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteChartNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    DeleteChartRelease cr:DeleteChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteChartRepository cr:DeleteRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteInstanceEndpointAclPolicy cr:DeleteInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteInstanceVpcEndpointLinkedVpc cr:DeleteInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteRepoBuildRule cr:DeleteRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoSyncRule cr:DeleteSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTrigger cr:DeleteWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateChartNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateChartRepository cr:UpdateRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    UpdateInstanceEndpointStatus cr:UpdateInstanceEndpointStatus acs:cr:$regionid:$accountid:instance/$instanceid
    UpdateNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateRepoBuildRule cr:UpdateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepoTrigger cr:UpdateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PullRepository cr:PullRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    \ cr:PushRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    \ cr:PullChart acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    \ cr:PushChart acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname