Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to manage access permissions on repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Background information

By default, an Alibaba Cloud account has full access permissions on the resources that belong to the account. You can use RAM and STS to grant different permissions on image resources to different RAM users and provide users with temporary access permissions. Before you configure authorization policies, read the RAM documentation.

System policy configuration

  • AliyunContainerRegistryFullAccess

    This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform all operations.

    {
      "Statement": [
        {
          "Action": "cr:*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        
  • AliyunContainerRegistryReadOnlyAccess

    This policy grants a RAM user the read-only permission on all image resources. For example, the RAM user can view the repository list and pull images.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        

Policy configuration for typical scenarios

  • Scenario 1

    Scenario: Grant a RAM user the read-only permission on a namespace, such as juzhong. After the logon to Container Registry, the RAM user can pull all the images in the namespace juzhong. The RAM user can view information about the namespace and all repositories in the namespace by calling API operations.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        }
      ],
      "Version": "1"
    }
                        
    Notice If you want to allow the RAM user to view the namespaces in the console, add the following authorization configuration. Then, the RAM user can view all the namespaces and the repository list. However, the RAM user can only pull images from the repositories in the namespace juzhong.
    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        },
        {
          "Action": [
            "cr:ListNamespace",
            "cr:ListRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "*"
          ]
        }
      ],
      "Version": "1"
    }
                        
  • Scenario 2

    Scenario: Grant a RAM user all permissions on a repository, such as the repository nginx in the namespace juzhong in the China (Hangzhou) region.

    Notice If you want to allow the RAM user to manage repositories in the console, add the relevant configuration by referring to scenario 1.
    {
      "Statement": [
        {
          "Action": [
            "cr:*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
          ]
        },
        {
          "Action": [
            "cr:Get*",
            "cr:List*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong"
          ]
        }
      ],
      "Version": "1"
    }
                        
  • Scenario 3

    Scenario: Grant a RAM user all permissions on a namespace.

    Notice You can implement the scenario only by calling API operations. If you want to allow the RAM user to view all repositories in the console, add the relevant configuration by referring to scenario 1.
    {
        "Statement": [
            {
                "Action": [
                    "cr:*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:cr:cn-hangzhou:*:repository/juzhong",
                    "acs:cr:cn-hangzhou:*:repository/juzhong/*"
                ]
            }
        ],
        "Version": "1"
    }

Instructions on RAM authorization

When you authorize a RAM user, pay attention to the following instructions to avoid granting excessive permissions to the RAM user.

Assume that you grant a RAM user the AdministratorAccess permission that contains management permissions on all Alibaba Cloud resources. The RAM user possesses all permissions on Container Registry, regardless of whether the RAM user is granted the permissions before.

Authentication rules for Container Registry

  • ARN format

    The following table describes the Alibaba Cloud Resource Name (ARN) format in an authorization policy when you use RAM to authorize access to resources.

    Resource ARN format in an authorization policy
    repository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname

    The following table describes the parameters in the ARN format.

    Parameter Description
    $regionid The ID of the region, which can be replaced by an asterisk (*).
    $accountid The ID of the Alibaba Cloud account, which can be replaced by an asterisk (*).
    $namespacename The name of the namespace.
    $repositoryname The name of the repository.
  • Authentication rules

    When you access the Container Registry API as a RAM user or by using STS, Container Registry informs RAM to perform a permission check to make sure that the caller has the required permissions. The permissions to be checked are determined by the resources used by an API operation and the syntax of the API operation. The following table describes the authentication rules of API operations.

    API operation Authenticated action Authenticated resource
    Create a namespace cr:CreateNamespace *
    Delete a namespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Update a namespace cr:UpdateNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Query the information about a specified namespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Query namespaces cr:ListNamespace *
    Create a repository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$namespacename
    Delete a repository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Update repository information cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query the information of a repository cr:GetRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query the information of repositories cr:ListRepository *
    Query the information of repositories based on the namespace cr:ListRepository *
    Query the tag information of a repository cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Delete an image tag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query the Manifest information of an image cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query the image layer information cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query a temporary authorization token cr:GetAuthorizationToken *
    Pull images cr:PullRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Push images cr:PushRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname