All Products
Search
Document Center

Container Registry:Repository access control

Last Updated:Aug 04, 2023

Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to control access to image repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

By default, an Alibaba Cloud account has full access permissions on the resources that belong to the account. You can use RAM and STS to grant different permissions on image resources to different RAM users and provide temporary access permissions. Before you configure authorization policies, read RAM documentation.

Important

After you configure authorization policies for a RAM user, you must use the RAM user to log on to the Container Registry console, create a Personal Edition instance, and set a password for the registry before you can view the images on which the RAM user has permissions.

Grant permissions to a RAM user

Before you grant permissions to a RAM user, make sure that you do not grant permissions more than necessary to the RAM user.

Important

You may grant a RAM user the AdministratorAccess permission that contains management permissions on all Alibaba Cloud resources. In this case, the RAM user has all permissions on Container Registry, regardless of whether the RAM user is granted permissions before.

Attach system policies to a RAM user

By default, the AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess policies are created for Container Registry. You can directly attach the policies to a RAM user. The following part describes the two system policies:

  • AliyunContainerRegistryFullAccess

    This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform all operations on image resources.

    {
      "Statement": [
        {
          "Action": "cr:*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        
  • AliyunContainerRegistryReadOnlyAccess

    This policy grants a RAM user the read-only permissions on all image resources. For example, the RAM user can view the repository list and pull images.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        

The following example shows how to attach the AliyunContainerRegistryReadOnlyAccess policy to a RAM user:

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.

      • Specific Resource Group: The permissions take effect in a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Specify a principal.

      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.

    3. In the Select Policy section, click System Policy, enter AliyunContainerRegistryReadOnlyAccess in the field, and then click AliyunContainerRegistryReadOnlyAccess.

    4. Click OK.

  5. Click Complete.

Attach custom policies to a RAM user

If you want to enforce fine-grained control on permissions, you can create custom policies and attach the custom policies to RAM users.

Policy configurations in typical scenarios

The following part describes how to configure custom policies in typical scenarios:

  • Scenario 1: Grant a RAM user the read permission on a namespace. In this example, the namespace is named juzhong.

    After the RAM user logs on to the Container Registry instance, the RAM user can pull all images in the namespace juzhong. The RAM user can view information about the namespace and all repositories in the namespace by calling API operations.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        }
      ],
      "Version": "1"
    }
                        
    Important

    If you want to allow the RAM user to view all namespaces in the Container Registry console, add the following authorization configurations. Then, the RAM user can view all namespaces and repositories. However, the RAM user can only pull images from repositories in the namespace juzhong.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        },
        {
          "Action": [
            "cr:ListNamespace",
            "cr:ListRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "*"
          ]
        }
      ],
      "Version": "1"
    }
                        
  • Scenario 2: Grant all permissions on a repository to a RAM user. In this example, the repository is named nginx and is located in the namespace juzhong in the China (Hangzhou) region.

    Important

    If you want to allow the RAM user to manage repositories in the Container Registry console, add relevant configurations by referring to scenario 1.

    {
      "Statement": [
        {
          "Action": [
            "cr:*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
          ]
        },
        {
          "Action": [
            "cr:Get*",
            "cr:List*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong"
          ]
        }
      ],
      "Version": "1"
    }
                        
  • Scenario 3: Grant all permissions on a namespace to a RAM user.

    Important

    You can implement the scenario only by calling API operations. If you want to allow the user to view all repositories in the Container Registry console, add relevant configurations by referring to scenario 1.

    {
        "Statement": [
            {
                "Action": [
                    "cr:*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:cr:cn-hangzhou:*:repository/juzhong",
                    "acs:cr:cn-hangzhou:*:repository/juzhong/*"
                ]
            }
        ],
        "Version": "1"
    }

You can create a custom policy by using the scripts introduced in the preceding scenarios and attach the custom policy to the RAM user. To do this, perform the following operations:

  1. Create a custom policy.

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab and edit the policy document in the code editor. For more information about the policy syntax, see Policy structure and syntax.

      Note

      For more information about how to set the Action and Resource parameters when you edit the policy document, see Authentication rules for Container Registry.

    5. Click Next to edit policy information. In the dialog box that appears, set Name and Note.

    6. Click OK.

  2. Attach the custom policy to a RAM user

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.

    4. In the Add Permissions panel, grant permissions to the RAM user.

      1. Select the authorization scope.

        • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.

        • Specific Resource Group: The permissions take effect in a specific resource group.

          Note

          If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Specify a principal.

        The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.

      3. In the Select Policy section, click Custom Policy, enter the name of the custom policy in the field, and then click the custom policy.

      4. Click OK.

    5. Click Complete.

Authentication rules of Container Registry

ARN format

The following table describes the Alibaba Cloud Resource Name (ARN) format in an authorization policy when you use RAM to grant permissions to users.

Resource

ARN format

repository

acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname

The following table describes the parameters in the ARN format.

Parameter

Description

regionid

The ID of the region. You can replace the region ID with an asterisk (*).

accountid

The ID of the Alibaba Cloud account. You can replace the account ID with an asterisk (*).

namespacename

The name of the namespace.

repositoryname

The name of the image repository.