Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to manage access to repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

By default, an Alibaba Cloud account has full access permissions on the resources that belong to the account. You can use RAM and STS to grant different permissions on image resources to different RAM users and provide temporary access permissions. Before you configure authorization policies, read RAM documentation.

RAM authorization

When you authorize a RAM user, pay attention to the following instructions to make sure that you do not grant excessive permissions to the RAM user.

You may grant a RAM user the AdministratorAccess permission that contains management permissions on all Alibaba Cloud resources. In this case, the RAM user has all permissions on Container Registry, regardless of whether the RAM user is granted the permissions before.

Attach system policies to a RAM user

By default, the AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess policies are created for Container Registry. You can directly attach the policies to a RAM user. The following part describes the two system policies:
  • AliyunContainerRegistryFullAccess

    This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform all operations on image resources.

    {
      "Statement": [
        {
          "Action": "cr:*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        
  • AliyunContainerRegistryReadOnlyAccess

    This policy grants a RAM user the read-only permissions on all image resources. For example, the RAM user can view the repository list and pull images.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        

The following example shows how to attach the AliyunContainerRegistryReadOnlyAccess policy to a RAM user:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on a specific resource group.
        Note If you select Specific Resource Group as the authorization scope, you must make sure that the cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. In the Select Policy section, click System Policy, enter AliyunContainerRegistryReadOnlyAccess in the field, and then click AliyunContainerRegistryReadOnlyAccess.
    4. Click OK.
  5. Click Complete.

Attach custom policies to a RAM user

If you want to enforce fine-grained control on permissions, you can create custom policies and attach custom policies to RAM users.

Policy configurations in typical scenarios

The following section describes how to configure custom policies in typical scenarios:

  • Scenario 1: Grant a RAM user the read permission on a namespace. In this example, the namespace is juzhong.

    After the RAM user logs on to the Container Registry instance, the RAM user can pull all images in the namespace juzhong. The RAM user can view information about the namespace and all repositories in the namespace by calling API operations.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        }
      ],
      "Version": "1"
    }
                        
    Notice If you want to allow the RAM user to view all the namespaces in the console, add the following authorization configuration. Then, the RAM user can view all the namespaces and repositories. However, the RAM user can only pull images from the repositories in the namespace juzhong.
    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:PullRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong/*"
          ]
        },
        {
          "Action": [
            "cr:ListNamespace",
            "cr:ListRepository"
          ],
          "Effect": "Allow",
          "Resource": [
            "*"
          ]
        }
      ],
      "Version": "1"
    }
                        
  • Scenario 2: Grant a RAM user all permissions on a repository. In this example, the repository is nginx in the namespace juzhong in the China (Hangzhou) region.
    Notice If you want to allow the RAM user to manage repositories in the console, add the relevant configuration by referring to scenario 1.
    {
      "Statement": [
        {
          "Action": [
            "cr:*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
          ]
        },
        {
          "Action": [
            "cr:Get*",
            "cr:List*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cr:*:*:repository/juzhong"
          ]
        }
      ],
      "Version": "1"
    }
                        
  • Scenario 3: Grant a RAM user all permissions on a namespace.
    Notice You can implement the scenario only by calling API operations. If you want to allow the RAM user to view all repositories in the console, add the relevant configuration by referring to scenario 1.
    {
        "Statement": [
            {
                "Action": [
                    "cr:*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "acs:cr:cn-hangzhou:*:repository/juzhong",
                    "acs:cr:cn-hangzhou:*:repository/juzhong/*"
                ]
            }
        ],
        "Version": "1"
    }

You can create a custom policy by using the scripts introduced in the preceding scenarios and attach the custom policy to the RAM user. To do this, perform the following steps:

  1. Create a custom policy.
    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. On the Create Custom Policy page, set the Policy Name and Note parameters.
    5. Set the Configuration Mode parameter to Script and edit the policy content in the text editor. For more information about the policy syntax, see Policy structure and syntax.
      For more information about how to set the Action and Resource parameters when you edit the policy content, see Authentication rules for Container Registry.
    6. Click OK.
  2. Attach the custom policy to a RAM user
    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
    4. In the Add Permissions panel, grant permissions to the RAM user.
      1. Select the authorization scope.
        • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
        • Specific Resource Group: The authorization takes effect on a specific resource group.
          Note If you select Specific Resource Group as the authorization scope, you must make sure that the cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
      2. Specify the principal.

        The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.

      3. In the Select Policy section, click Custom Policy, enter the name of the custom policy in the field, and then click the custom policy.
      4. Click OK.
    5. Click Complete.

Authentication rules for Container Registry

  • ARN format

    The following table describes the Alibaba Cloud Resource Name (ARN) format in an authorization policy when you use RAM to authorize access to the resources.

    Resource ARN format in an authorization policy
    repository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname

    The following table describes the parameters in the ARN format.

    Parameter Description
    regionid The ID of the region, which can be replaced by an asterisk (*).
    accountid The ID of the Alibaba Cloud account, which can be replaced by an asterisk (*).
    namespacename The names of the namespace.
    repositoryname The name of the repository.
  • Authorization rules

    When you access the Container Registry API as a RAM user or by using STS, Container Registry informs RAM to perform a permission check to make sure that the caller has the required permissions. The permissions to be checked are determined by the resources that are requested by the API operation and the syntax of the API operation. The following table describes the authentication rules of different API operations.

    API Action Resource
    Create a namespace cr:CreateNamespace *
    Delete a namespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Update a namespace cr:UpdateNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Query a namespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$namespacename
    Query namespaces cr:ListNamespace *
    Create a repository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$namespacename
    Delete a repository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Update a repository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query a repository cr:GetRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query repositories cr:ListRepository *
    Query repositories in a namespace cr:ListRepository *
    Query the tag information about a repository cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Delete an image tag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query the manifest information about an image cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query the information about image layers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Query a temporary authorization token cr:GetAuthorizationToken *
    Pull images cr:PullRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname
    Push images cr:PushRepository acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname