To ensure secure access and management of your container images, Container Registry provides authentication for clients like Docker and containerd. After successful authentication, you can securely push and pull container images and Helm charts.
Background Information
Access credentials are used to authenticate clients like Docker and containerd. Authorization is then determined by your configured RAM access control policies. For more information, see RAM authentication rules. After successful authentication, you can push and pull container images and Helm charts. We recommend using a password for the registry that is different from your console login password. This mitigates security risks if your client-side credentials are ever exposed.
Access credentials are independent of Alibaba Cloud accounts and passwords. Access credentials are available in two types:
Permanent password: A non-expiring password. Keep it secure. If you forget it, you can reset it.
Temporary token: A token that is valid for one hour. If obtained via Security Token Service (STS), the token's validity period matches that of the STS token.
Alibaba Cloud accounts and RAM users have independent access credentials. RAM users cannot use the access credentials of their Alibaba Cloud accounts to access Container Registry Enterprise Edition instances. RAM users must configure their own access credentials.
Use a permanent password
Container Registry does not support logging in with a RAM role. To log in as a role, you must use a temporary token.
Procedure
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose .
On the Access Credential page, click Set Password.
In the Set Password dialog box, enter a password for the Password parameter, and enter the password again for the Confirm Password parameter. Then, click Confirm.
What to do next
Log on to the Container Registry Enterprise Edition instance.
Configure access control over the Internet or virtual private clouds (VPCs). For more information, see Configure access over the Internet or Configure a VPC ACL.
Use the access credential to log on to the Container Registry Enterprise Edition instance. Example:
docker login <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the instance>.cr.aliyuncs.com
Use a temporary token
Prerequisites
Alibaba Cloud CLI is installed and configured with the credentials of the RAM user. For more information, see Installation Guide and Configure profiles.
jq is installed. For more information, see jq.
A RAM user is created. For more information, see Create a RAM user.
You can also use the GetAuthorizationToken API in OpenAPI Explorer to obtain temporary credentials to log in to the instance.
Procedure
Obtain the AccessKey pair of the RAM user. For more information, see View the information about AccessKey pairs of a RAM user.
Create a custom policy in JSON mode and attach the policy to the RAM user. For more information, see Create a custom policy on the JSON tab and Grant permissions to a RAM user.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cr:GetAuthorizationToken", "cr:PullRepository", "cr:PushRepository" ], "Resource": "*" } ] }Run the following command to obtain the temporary token.
Note<acr service endpoint>inACR_ENDPOINT="<acr service endpoint>"is the endpoint in the region where the Enterprise Edition instance resides. For more information, see Endpoints.export ALIYUN_AK="<aliyun access key>" # The AccessKey ID that you obtained in step 1. export ALIYUN_SK="<aliyun access key secret >" # The AccessKey secret that you obtained in step 1. export ACR_INSTANCE_ID="<id of acr instance >" # The ID of the Container Registry Enterprise Edition instance. export ACR_ENDPOINT="<acr service endpoint>"aliyun cr GetAuthorizationToken --endpoint $ACR_ENDPOINT --InstanceId $ACR_INSTANCE_ID --access-key-id $ALIYUN_AK --access-key-secret $ALIYUN_SK | jq -r '.AuthorizationToken'
What to do next
Log on to the Container Registry Enterprise Edition instance.
Configure access control over the Internet or VPCs. For more information, see Configure access over the Internet or Configure a VPC ACL.
Use the access credential to log on to the Container Registry Enterprise Edition instance. Example:
docker login --username=cr_temp_user <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the instance>.cr.aliyuncs.com
References
After you configure access credentials for a Container Registry Enterprise Edition instance, you can manage and store container images in the instance. For more information, see Use a Container Registry Enterprise Edition instance to push and pull images.