Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to manage access permissions on repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Background

By default, you have full operation permissions on the resources under your Alibaba Cloud account. With RAM and STS, you can grant different permissions on image resources to different RAM users and provide users with temporary access permissions. Before you configure authorization policies, read RAM documentation.

System policy configuration

  • AliyunContainerRegistryFullAccess

    This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform any operations.

    {
      "Statement": [
        {
          "Action": "cr:*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
    					
  • AliyunContainerRegistryReadOnlyAccess

    This policy grants a RAM user the read-only permission on all image resources. For example, the RAM user can view the repository list and pull images.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
    					

Policy configuration for typical scenarios

  • Scenario 1

    Scenario: Grant a RAM user the read-only permission on a namespace, such as juzhong. After logging on to Container Registry, the RAM user can pull all the images in the namespace juzhong. The RAM user can view information about the namespace and all repositories in the namespace through the API.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        }
      ],
      "Version": "1"
    }
    					
    Notice To allow the RAM user to view the namespaces in the console, add the following authorization configuration. Then, the RAM user can view all the namespaces and the repository list. However, the RAM user can only pull images from the repositories in the namespace juzhong.
    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        },
        {
          "Action": [
            "cr:ListNamespace",
            "cr:ListRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "*"
          ]
        }
      ],
      "Version": "1"
    }
    					
  • Scenario 2

    Scenario: Grant a RAM user all permissions on a repository, such as the repository nginx in the namespace juzhong in the China (Hangzhou) region.

    Notice To allow the RAM user to manage repositories in the console, add the relevant configuration by referring to scenario 1.
    {
      "Statement": [
        {
          "Action": [
            "cr:*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
          ]
        },
        {
          "Action": [
            "cr:Get*",
            "cr:List*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong"
          ]
        }
      ],
      "Version": "1"
    }
    					

Notes on RAM authorization

When you authorize a RAM user, pay attention to the following instructions to avoid granting excessive permissions to the RAM user.

If you grant a RAM user the AdministratorAccess permission, that is, management permissions on all Alibaba Cloud resources, the RAM user possesses all permissions on Container Registry, regardless of whether the RAM user is granted the permissions before.

Authentication rules for Container Registry

  • Resource description

    The following table lists the resource description in an authorization policy when you use RAM to authorize access to resources.

    Resource Resource description in an authorization policy
    Repository acs:cr:$regionid:$accountid:repository/$namespacename/$repositorynameacs:cr:$regionid:$accountid:repository/$namespacename/*acs:cr:$regionid:$accountid:repository/$namespacename

    The following table describes the parameters in the resource description.

    Parameter Description
    $regionid The ID of the region, which can be replaced by an asterisk (*).
    $accountid The ID of the Alibaba Cloud account, which can be replaced by an asterisk (*).
    $namespacename The name of the namespace.
    $repositoryname The name of the repository.
  • Authentication rules

    When you access the Container Registry API as a RAM user or using STS, Container Registry informs RAM to perform a permission check to make sure that the caller has the required permissions. The permissions to be checked are determined by the resources used by an API operation and the API syntax. The following table describes the API authentication rules.

    API operation Authenticated action Authenticated resource
    Create a namespace cr:CreateNamespace *
    Delete a namespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Update a namespace cr:UpdateNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Obtain the information about a specified namespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Obtain namespaces cr:ListNamespace *
    Create a repository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Delete a repository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Update repository information cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    View information of a repository cr:GetRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    View information of repositories cr:ListRepository *
    View information of repositories based on the namespace cr:ListRepository *
    View the tag information of a repository cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Delete an image tag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    View the Manifest information of an image cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    View image layer information cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Obtain a temporary authorization token cr:GetAuthorizationToken *
    Pull images cr:PullRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Push images "cr:PushRepository", acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname