Configure permanent and temporary access credentials - Container Registry

To push and pull container images and Helm charts from an Alibaba Cloud Container Registry (ACR) Enterprise Edition instance, Docker and containerd clients must authenticate using an access credential. After authentication, authorization is enforced by your Resource Access Management (RAM) access control policies.

ACR provides two types of access credentials. Choose the one that fits your use case:

Type	Expires	Use case	Notes
Permanent password	Never	Local development; interactive use by a single developer	ACR does not support role-based logon with a permanent password
Temporary password	1 hour (or matches your Security Token Service (STS) token validity)	CI/CD pipelines and automated systems; role-based access	Recommended for all automated and multi-user scenarios

Note

Alibaba Cloud accounts and RAM users have independent access credentials. Each RAM user must configure its own credentials and cannot use the Alibaba Cloud account's credentials.

Set a permanent password (for local development)

Prerequisites

Before you begin, ensure that you have:

Access to the Container Registry console
An ACR Enterprise Edition instance

Set the password

Important

Store your permanent password securely. It does not expire — never commit it to source code repositories or share it across team members. If you lose it, reset it by setting a new one.

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left navigation pane of the instance management page, choose Instances > Access Credential.
On the Access Credential page, click Set Password.
In the Set Password dialog box, enter a password in the Password field, confirm it in the Confirm Password field, and then click Confirm.

Log in to the instance

Configure network access for the instance. See Configure access over the Internet or Configure a VPC ACL.
Log in to the instance:
```
docker login <instance-name>-registry.<region-id>.cr.aliyuncs.com
```
Replace <instance-name> with the name of your Enterprise Edition instance and <region-id> with the region ID where the instance resides.

Get a temporary password (for CI/CD and automated systems)

Prerequisites

Before you begin, ensure that you have:

Alibaba Cloud CLI installed and credentials configured
The jq command installed
A RAM user created with an AccessKey pair

Note

Alternatively, call the GetAuthorizationToken API directly in OpenAPI Explorer to get a temporary credential without the CLI.

Grant permissions

Create a custom policy with the following content, then attach it to the RAM user:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetAuthorizationToken",
                "cr:PullRepository",
                "cr:PushRepository"
            ],
            "Resource": "*"
        }
    ]
}

Retrieve the token and log in

Create an AccessKey pair or use an existing one. Note the AccessKey ID and AccessKey secret.

Set your credentials and instance details as environment variables:

export ALIYUN_AK="<aliyun access key>"        # AccessKey ID from step 1
export ALIYUN_SK="<aliyun access key secret>"  # AccessKey secret from step 1
export ACR_INSTANCE_ID="<id of acr instance>"  # Enterprise Edition instance ID
export ACR_ENDPOINT="<acr service endpoint>"   # See ACR endpoints for your region

For ACR_ENDPOINT, see the ACR endpoint list for the region where your instance resides.

Retrieve the authorization token:
```
aliyun cr GetAuthorizationToken --endpoint $ACR_ENDPOINT --InstanceId $ACR_INSTANCE_ID --access-key-id $ALIYUN_AK --access-key-secret $ALIYUN_SK | jq -r '.AuthorizationToken'
```
Note
The temporary password is valid for 1 hour. If you obtained it through STS, its validity matches that of the STS token. Re-run the command to get a new token when it expires.

What's next

Configure network access for the instance. See Configure access over the Internet or Configure a VPC ACL.
Log in to the instance using the token retrieved above:
```
docker login --username=cr_temp_user <instance-name>-registry.<region-id>.cr.aliyuncs.com
```
Replace <instance-name> with the name of your Enterprise Edition instance and <region-id> with the region ID where the instance resides.
Push and pull images using your authenticated Docker client. See Use a Container Registry Enterprise Edition instance to push and pull images and Pull an image from the same account.