All Products
Search
Document Center

Container Registry:Configure access credentials

Last Updated:Apr 24, 2026

To securely access and manage container images in Alibaba Cloud Container Registry (ACR), you must configure authentication for clients like Docker and containerd. After successful authentication and authorization, you can push and pull container images or Helm charts.

Background information

Access credentials are used to authenticate clients such as Docker and containerd. After successful authentication, a configured RAM access control policy determines authorization, allowing you to push and pull container images or Helm charts. We recommend configuring a unique password for ACR, different from your console login password, to protect other services if the client password is leaked.

Two types of credentials are available:

  • Permanent password: This password does not expire. Keep it secure. If you lose the password, you can reset it.

  • Temporary password: This password is valid for one hour. If you request a temporary password by using Security Token Service (STS), its validity period is the same as that of the STS token.

Note

Alibaba Cloud accounts and RAM users are independent. A RAM user cannot use an Alibaba Cloud account's access credential and must configure their own.

Use a permanent password

Note

Container Registry (ACR) does not support role-based logon. To log on by using a role, you must use a temporary password.

Procedure

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane, choose Instances > Access Credentials.

  6. On the Access Credentials page, click Set Password.

  7. In the Set Password dialog box, enter a password in the Password and Confirm Password fields. Then, click Confirm.

What to do next

Log on to the Enterprise Edition instance.

  1. Configure access control for the Internet or a VPC. For more information, see Configure access control over the Internet or Configure access control for a VPC.

  2. In your terminal, use the access credential to log on to the Enterprise Edition instance. The following is a sample command:

    docker login <instance-name>-registry.<region-id>.cr.aliyuncs.com

Use a temporary password

Prerequisites

Note

You can also run the GetAuthorizationToken operation in OpenAPI Explorer to obtain a temporary username and password for the target instance.

Procedure

  1. Use an existing AccessKey pair or create a new one. Record the AccessKey ID and AccessKey secret. For more information, see Create an AccessKey pair.

  2. Use the following script to create a custom policy and then grant permissions to the RAM user.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cr:GetAuthorizationToken",
                    "cr:PullRepository",
                    "cr:PushRepository"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Run the following commands to obtain a temporary token.

    Note

    In ACR_ENDPOINT="<acr service endpoint>", replace <acr service endpoint> with the service endpoint for your ACR instance's region.

    export ALIYUN_AK="<aliyun access key>"               # Your AccessKey ID from Step 1.
    export ALIYUN_SK="<aliyun access key secret>"        # Your AccessKey secret from Step 1.
    export ACR_INSTANCE_ID="<id of acr instance>"        # Your target ACR instance ID.
    export ACR_ENDPOINT="<acr service endpoint>"  
    aliyun cr GetAuthorizationToken --endpoint $ACR_ENDPOINT --InstanceId $ACR_INSTANCE_ID --access-key-id $ALIYUN_AK --access-key-secret $ALIYUN_SK | jq -r '.AuthorizationToken'

What to do next

Log on to the Enterprise Edition instance.

  1. Configure access control for the Internet or a VPC. For more information, see Configure access control over the Internet or Configure access control for a VPC.

  2. In your terminal, use the access credential to log on to the Enterprise Edition instance. The following is a sample command:

    docker login --username=cr_temp_user <instance-name>-registry.<region-id>.cr.aliyuncs.com

Related documents