To securely access and manage your container images in Alibaba Cloud Container Registry (ACR), ACR provides identity authentication for clients such as Docker and containerd. After successful authentication and authorization, you can securely push and pull container images and Helm charts.
Background information
Access credentials authenticate clients such as Docker and containerd. Authorization after successful authentication is based on your configured Resource Access Management (RAM) access control policies. For more information, see RAM access control policies. After successful authentication and authorization, you can push and pull container images and Helm charts. Use a password different from your console login password to reduce risk if client-side credentials are exposed.
Access credentials are independent of your Alibaba Cloud account and password. They come in two types:
Permanent password: Does not expire. Store it securely. If lost, reset it by setting a new one.
Temporary password: Valid for one hour. If requested through Security Token Service (STS), its validity matches that of the STS token.
Alibaba Cloud accounts and RAM users have independent access credentials. A RAM user cannot use the access credentials of the Alibaba Cloud account. Each RAM user must configure its own access credentials.
Use a permanent password
Container Registry does not support role-based logon. Use a temporary password instead.
Procedure
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the navigation pane on the left, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the navigation pane on the left of the Enterprise Edition instance management page, choose .
On the Access Credential page, click Set Password.
In the Set Password dialog box, enter a password in the Password field and confirm it in the Confirm Password field. Then click Confirm.
What to do next
Log on to the Enterprise Edition instance.
Configure access control for the Internet or virtual private clouds (VPCs). For more information, see Configure access over the Internet or Configure a VPC ACL.
Use the access credential to log on to the Enterprise Edition instance. Example:
docker login <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the instance>.cr.aliyuncs.com
Use a temporary password
Prerequisites
Install the and Alibaba Cloud CLI, then configure credentials. For more information, see Configure credentials.
You have installed the jq command.
You have created a RAM user.
You can also run the GetAuthorizationToken API directly in OpenAPI Explorer to obtain temporary credentials for the target instance.
Procedure
Create an AccessKey pair or use an existing one. Record the AccessKey ID and AccessKey secret. For more information, see Create an AccessKey.
You can use the following content to create a custom policy in script edit mode and manage the permissions of a RAM user.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cr:GetAuthorizationToken", "cr:PullRepository", "cr:PushRepository" ], "Resource": "*" } ] }Run the following command to retrieve the temporary token.
NoteIn
ACR_ENDPOINT="<acr service endpoint>",<acr service endpoint>is the endpoint for the region where your ACR instance resides.export ALIYUN_AK="<aliyun access key>" # The AccessKey ID from step 1. export ALIYUN_SK="<aliyun access key secret >" # The AccessKey secret from step 1. export ACR_INSTANCE_ID="<id of acr instance >" # The ID of the Container Registry Enterprise Edition instance. export ACR_ENDPOINT="<acr service endpoint>"aliyun cr GetAuthorizationToken --endpoint $ACR_ENDPOINT --InstanceId $ACR_INSTANCE_ID --access-key-id $ALIYUN_AK --access-key-secret $ALIYUN_SK | jq -r '.AuthorizationToken'
What to do next
Log on to the Enterprise Edition instance.
Configure access control for the Internet or VPCs. For more information, see Configure access over the Internet or Configure a VPC ACL.
Use the access credential to log on to the Enterprise Edition instance. Example:
docker login --username=cr_temp_user <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the instance>.cr.aliyuncs.com