edit-icon download-icon

Repository access control

Last Updated: May 03, 2018

Overview

Alibaba Cloud’s permission management includes Resource Access Management (RAM) and Security Token Service (STS). By default, the primary account has full operational authority over its own resources. RAM and STS enable users to access image resources using different subaccounts with different permissions and also grant users temporary access authorization. Using RAM and STS can improve management flexibility and security.

For more information about how to configure authorization policies, see RAM documentation.

System configuration policies

AliyunCRFullAccess

Grant subaccount full access permissions, the subaccount then functions the same as the primary account and can perform any operations.

  1. {
  2. "Statement": [
  3. {
  4. "Action": "cr:*",
  5. "Effect": "Allow",
  6. "Resource": "*"
  7. }
  8. ],
  9. "Version": "1"
  10. }

AliyunCRReadOnlyAccess

Grant a subaccount the read-only permission, the subaccount then is allowed to perform read-only operations. For example, view repository list, pull images, and so on.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "cr:Get*",
  6. "cr:List*",
  7. "cr:PullRepository"
  8. ],
  9. "Effect": "Allow",
  10. "Resource": "*"
  11. }
  12. ],
  13. "Version": "1"
  14. }

Policy configuration scenarios

Scenario 1

Scenario description: Authorize a subaccount with read-only permission of namespace (for example, juzhong). Subaccount can view the namespace information, and all relative information about the image repository. Logon to the Container Registry also allows subaccount to pull the images.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "cr:Get*",
  6. "cr:List*",
  7. "cr:PullRepository"
  8. ],
  9. "Effect": "Allow",
  10. "Resource": [
  11. "acs:cr:*:*:repository/juzhong/*",
  12. "acs:cr:*:*:repository/juzhong"
  13. ]
  14. }
  15. ],
  16. "Version": "1"
  17. }

Scenario 2

Scenario description: Authorize a subaccount for a certain image repository (for example, the image repository name is nginx which belongs to a namespace juzhong, and the affiliated region is China East 1).

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "cr:*"
  6. ],
  7. "Effect": "Allow",
  8. "Resource": [
  9. "acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
  10. ]
  11. },
  12. {
  13. "Action": [
  14. "cr:Get*",
  15. "cr:List*"
  16. ],
  17. "Effect": "Allow",
  18. "Resource": [
  19. "acs:cr:*:*:repository/juzhong"
  20. ]
  21. }
  22. ],
  23. "Version": "1"
  24. }

Note:

While using RAM subaccount, pay special attention to the following instructions to avoid granting excessive permissions to subaccounts.
If you grant an administrative authority for all Alibaba Cloud resources (that is, AdministratorAccess) to a subaccount using RAM, regardless of whether you previously granted the subaccount Container Registry permissions, in this situation the subaccount has full permissions on the Container Registry.

Thank you! We've received your feedback.