edit-icon download-icon

Repository access control

Last Updated: Sep 12, 2018

Overview

Alibaba Cloud’s permission management includes Resource Access Management (RAM) and Security Token Service (STS). By default, the primary account has full operational authority over its own resources. RAM and STS enable users to access image resources using different subaccounts with different permissions and also grant users temporary access authorization. Using RAM and STS can improve management flexibility and security.

For more information about how to configure authorization policies, see RAM documentation.

System configuration policies

AliyunContainerRegistryFullAccess

Grant subaccount full access permissions, the subaccount then functions the same as the primary account and can perform any operations.

  1. {
  2. "Statement": [
  3. {
  4. "Action": "cr:*",
  5. "Effect": "Allow",
  6. "Resource": "*"
  7. }
  8. ],
  9. "Version": "1"
  10. }

AliyunContainerRegistryReadOnlyAccess

Grant a subaccount the read-only permission, the subaccount then is allowed to perform read-only operations. For example, view repository list, pull images, and so on.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "cr:Get*",
  6. "cr:List*",
  7. "cr:PullRepository"
  8. ],
  9. "Effect": "Allow",
  10. "Resource": "*"
  11. }
  12. ],
  13. "Version": "1"
  14. }

Policy configuration scenarios

Scenario 1

Scenario description: Authorize a subaccount with read-only permission of namespace (for example, juzhong). Subaccount can view the namespace information, and all relative information about the image repository. Logon to the Container Registry also allows subaccount to pull the images.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "cr:Get*",
  6. "cr:List*",
  7. "cr:PullRepository"
  8. ],
  9. "Effect": "Allow",
  10. "Resource": [
  11. "acs:cr:*:*:repository/juzhong/*",
  12. "acs:cr:*:*:repository/juzhong"
  13. ]
  14. }
  15. ],
  16. "Version": "1"
  17. }

Scenario 2

Scenario description: Authorize a subaccount for a certain image repository (for example, the image repository name is nginx which belongs to a namespace juzhong, and the affiliated region is China East 1).

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "cr:*"
  6. ],
  7. "Effect": "Allow",
  8. "Resource": [
  9. "acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
  10. ]
  11. },
  12. {
  13. "Action": [
  14. "cr:Get*",
  15. "cr:List*"
  16. ],
  17. "Effect": "Allow",
  18. "Resource": [
  19. "acs:cr:*:*:repository/juzhong"
  20. ]
  21. }
  22. ],
  23. "Version": "1"
  24. }

Note:

While using RAM subaccount, pay special attention to the following instructions to avoid granting excessive permissions to subaccounts.
If you grant an administrative authority for all Alibaba Cloud resources (that is, AdministratorAccess) to a subaccount using RAM, regardless of whether you previously granted the subaccount Container Registry permissions, in this situation the subaccount has full permissions on the Container Registry.

Registry authentication rules

Resource description

When you grant a suaccount authority through RAM, the resource is described as follows:

Resource type Resource description of authentication policies
repository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
acs:cr:$regionid:$accountid:repository/$namespacename/*
acs:cr:$regionid:$accountid:repository/$namespacename

Parameter descripiton:

Name Descripiton
$regionid The region ID. You can replace it with asterisks (*).
$accountid The cloud account ID. You can replace it with asterisks (*).
$namespacename The name of the namespace.
$repositoryname The name of the repository.

Authentication rules

When you access Container Registry APIs through a subaccount or STS, Container Registry checks the caller’s permissions on RAM to make sure that the caller has the corresponding permissions. Each API determines the resources for permission check according to the involved resources and the semantics of the API. The following table lists the authentication rules for each API:

API Authentication action Authentication resource
Create a namespace No authenticaion is required. No authenticaion is required.
Delete a namespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$namespacename
Update the namespace information cr:UpdateNamespace acs:cr:$regionid:$accountid:repository/$namespacename
Get the specified namespace information cr:GetNamespace acs:cr:$regionid:$accountid:repository/$namespacename
Get a namespace list cr:ListNamespace *
Create a repository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Delete a repository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Update the repository information cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Get the repository information cr:GetRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Get a repository list cr:ListRepository *
Get a repository list by namespace cr:ListRepository *
Get the repository tags information cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Delete an image version cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Get the image manifest information cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Get the image layer information cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Get a temporary token cr:GetAuthorizationToken *
Pull image cr:PullRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Push image cr:PushRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
Thank you! We've received your feedback.