Alibaba Cloud’s permission management includes Resource Access Management (RAM) and Security Token Service (STS). Using RAM and STS can improve management flexibility and security.
Background informaiton
By default, the primary account has full operational authority over its own resources. RAM and STS enable users to access image resources using different subaccounts with different permissions and also grant users temporary access authorization. For more information about how to configure authorization policies, see RAM documentation.
System configuration policies
- AliyunContainerRegistryFullAccess
Grant subaccount full access permissions. The subaccount then functions the same as the primary account and can perform any operations.
{ "Statement": [ { "Action": "cr:*", "Effect": "Allow", "Resource": "*" } ], "Version": "1" } - AliyunContainerRegistryReadOnlyAccess
Grant a subaccount the read-only permission. The subaccount then is allowed to perform read-only operations. For example, view repository list, pull images, and so on.
{ "Statement": [ { "Action": [ "cr:Get*", "cr:List*", "cr:PullRepository" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
Typical scenario of policy configuration
If a RAM user needs to call API operations of Container Registry, grant relevant permissions to the RAM user according to Authentication rules of Container Registry. If the RAM user also needs to use the Container Registry console, we recommend that you configure the following extra permissions for the RAM user:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"cr:ListInstance*",
"cr:GetInstance*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cr:GetInstance*",
"cr:ListInstance*"
],
"Resource": "acs:cr:$regionid:$accountid:instance/$instanceid"
}
],
"Version": "1"
}Notes on RAM authorization
When you authorize a RAM user, pay attention to the following instructions to avoid granting excessive permissions to the RAM user.
If you grant a RAM user the AdministratorAccess permission, that is, management permissions on all Alibaba Cloud resources, the RAM user possesses all permissions on Container Registry, regardless of whether the RAM user is granted the permissions before.
Authentication rules of Container Registry
- Resource description
The following table lists the descriptions of resources when you use RAM to authorize access to these resources.
Resource Resource description in authorization policies * acs:cr:$regionid:$accountid:* instance acs:cr:$regionid:$accountid:instance/$instanceid repository acs:cr:$regionid:$accountid:repository/$instanceid/*
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
chart acs:cr:$regionid:$accountid:chart/$instanceid/*
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname
The following table describes the parameters in resource descriptions.
Parameter Description $regionid The ID of the region, which can be replaced by an asterisk (*). $accountid The ID of the Alibaba Cloud account, which can be replaced by an asterisk (*). $instanceid The ID of the Container Registry Enterprise Edition instance. $namespacename The name of the namespace. $repositoryname The name of the repository. $chartnamespacename The name of the chart namespace. $chartrepositoryname The name of the chart repository. - Authentication rules
When you access the Container Registry API as a RAM user or using STS, Container Registry informs RAM to perform a permission check to make sure that the caller has the required permissions. The permissions to be checked are determined by the resources used by an API operation and the API syntax. The following table describes the API authentication rules.
API operation Authenticated action Authenticated resource GetAuthorizationToken cr:GetAuthorizationToken * GetChartNamespace cr:GetNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename GetChartRepository cr:GetRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname GetInstance cr:GetInstance acs:cr:$regionid:$accountid:instance/$instanceid GetInstanceCount cr:ListInstance * GetInstanceEndpoint cr:GetInstanceEndpoint acs:cr:$regionid:$accountid:instance/$instanceid GetInstanceUsage cr:GetInstanceUsage acs:cr:$regionid:$accountid:instance/$instanceid GetInstanceVpcEndpoint cr:GetInstanceVpcEndpoint acs:cr:$regionid:$accountid:instance/$instanceid GetNamespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename GetRepoBuildRecord cr:GetRepositoryBuildRecord acs:cr:$regionid:$accountid:repository/$instanceid GetRepoBuildRecordStatus cr:GetBuildRepositoryStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoTagLayers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoTagManifest cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoTagScanTask cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepository cr:GetRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListChartNamespace cr:ListNamespace acs:cr:$regionid:$accountid:chart/$instanceid/* ListChartRelease cr:ListChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname ListChartRepository cr:ListRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* ListInstance cr:ListInstance * ListInstanceEndpoint cr:ListInstanceEndpoint acs:cr:$regionid:$accountid:repository/$instanceid ListNamespace cr:ListNamespace acs:cr:$regionid:$accountid:repository/$instanceid/* ListRepoBuildRecord cr:ListRepositoryBuild acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoBuildRecordLog cr:GetRepositoryBuildLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoBuildRule cr:ListRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoSyncRule cr:ListSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTag cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTrigger cr:ListWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTriggerLog cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTriggerRecord cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepository cr:ListRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* CancelRepoBuildRecord cr:CancelBuildRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateBuildRecordByRule cr:BuildRepositoryByRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateChartNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename CreateInstanceEndpointAclPolicy cr:CreateInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid CreateInstanceVpcEndpointLinkedVpc cr:CreateInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid CreateNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename CreateRepoBuildRule cr:CreateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepoSyncRule cr:CreateSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepoSyncTaskByRule cr:CreateRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepoTrigger cr:CreateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteChartNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename DeleteChartRelease cr:DeleteChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname DeleteChartRepository cr:DeleteRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname DeleteInstanceEndpointAclPolicy cr:DeleteInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid DeleteInstanceVpcEndpointLinkedVpc cr:DeleteInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid DeleteNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename DeleteRepoBuildRule cr:DeleteRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepoSyncRule cr:DeleteSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepoTag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepoTrigger cr:DeleteWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname UpdateChartNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename UpdateChartRepository cr:UpdateRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname UpdateInstanceEndpointStatus cr:UpdateInstanceEndpointStatus acs:cr:$regionid:$accountid:instance/$instanceid UpdateNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename UpdateRepoBuildRule cr:UpdateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname UpdateRepoTrigger cr:UpdateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname UpdateRepository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname