All Products
Search

This Product

    Container Registry:Fine-grained resource control with resource groups

    Document Center

    Container Registry:Fine-grained resource control with resource groups

    Last Updated:Apr 23, 2026

    Resource groups allow you to use RAM to isolate resources and enforce fine-grained permission management within a single Alibaba Cloud account. This topic describes how Container Registry supports resource groups and how to grant resource group-level authorization.

    Note

    Resource group authorization

    You can use resource groups to organize resources in your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into the group to manage them centrally. For more information, see What is a resource group?.

    After you group your resources, you can grant permissions to RAM principals (RAM users, RAM user groups, or RAM roles) at the resource group scope. This restricts the principal to managing only the resources within that group. For more information, see Resource grouping and authorization.

    This approach has the following advantages:

    • Fine-grained permissions: You can ensure each principal is granted only the permissions it needs. This prevents a principal assigned to one project from managing the resources of another.

    • Scalability: When you add resources to a resource group, principals authorized for that group automatically gain the same permissions for the new resources.

    Grant a RAM user resource group-level permissions

    This section describes how to grant permissions to a RAM user on Container Registry resources within a specific resource group.

    1. Prerequisites

    1. Create the RAM user that you want to grant permissions to. For more information, see Create a RAM user.

    2. Create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.

    2. Grant resource group-level permissions

    You can grant permissions at the resource group level using either of the following methods.

    Method 1: Resource management console

    Use a resource group's permission management feature to grant permissions to a RAM user. For detailed instructions, see Grant resource group-scope permissions to a RAM identity.

    • Sign in to the Resource Management console.

    • On the Resource Groups page, in the Actions column for the target resource group, click Grant Permission.

    • On the Permission Management tab, click Grant Permission.

    • In the Grant Permission panel, set the principal and policy.

      • Principal: Select an existing RAM user.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.

    • Click OK.

    Method 2: RAM console

    Use the RAM console to grant resource group-level permissions to a RAM user. For detailed instructions, see Manage permissions for a RAM user.

    • Sign in to the RAM console with an Alibaba Cloud account or a RAM administrator.

    • In the navigation pane on the left, choose Identities > Users. On the Users page, in the Actions column for the target RAM user, click Add Permission.

    • In the Grant Permission panel, grant permissions to the RAM user.

      • Resource Scope: Select Resource Group Level.

      • Principal: Select an existing RAM user, which can be the one you created in the prerequisites.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom policy.

    • Click OK.

    Resource types that support resource groups

    The following table lists the resource types in Container Registry that support resource groups.

    Cloud service

    Cloud service code

    Type

    Container Registry

    cr

    chartnamespace : Chart namespace

    Container Registry

    cr

    chartrepository : Chart repository

    Container Registry

    cr

    instance : Instance

    Container Registry

    cr

    namespace : image namespace

    Container Registry

    cr

    repository : image repository
    Note

    If you need a resource type that does not support resource groups, submit feedback in the Resource Group Console.

    image

    Actions that do not support resource group-level authorization

    The following Actions in Container Registry do not support resource group-level authorization:

    Action

    Description

    cr:CancelArtifactDeleteTagTask

    -

    cr:CancelArtifactSubscriptionTask

    -

    cr:CancelDiagnosisTask

    -

    cr:CancelRepoSyncTask

    Cancels a sync task.

    cr:CreateArtifactBuildDiagnosisTask

    -

    cr:CreateArtifactBuildPhaseStatusTask

    -

    cr:CreateCloudProductAuth

    -

    cr:CreateClusterImageAnalysisTask

    -

    cr:CreateImageWorkloadAnalysisTask

    -

    cr:CreateInstanceFlowControlRule

    -

    cr:CreateMetadataNamespace

    -

    cr:CreateMetadataNote

    -

    cr:CreateMetadataOccurrence

    -

    cr:CreateStorageDomainRoutingRule

    Creates an instance storage domain routing rule.

    cr:CreateUserInfo

    -

    cr:DeleteCloudProductAuth

    -

    cr:DeleteExemptVul

    -

    cr:DeleteInstance

    -

    cr:DeleteInstanceFlowControlRule

    -

    cr:DeleteInstanceMigrateRule

    -

    cr:DeleteStorageDomainRoutingRule

    Deletes an instance storage domain routing rule.

    cr:DeleteSyncCustomLink

    -

    cr:DisableInstanceHideAuthDomain

    -

    cr:EnableInstanceHideAuthDomain

    -

    cr:EnableRecycleBin

    -

    cr:GetAccessVpcLink

    -

    cr:GetClusterImageAnalysisTask

    -

    cr:GetDiagnosisTask

    -

    cr:GetImageWorkloadAnalysisTask

    -

    cr:GetInstanceFlowControlRule

    -

    cr:GetInstanceHideAuthDomainStatus

    -

    cr:GetInstanceMigrateRule

    -

    cr:GetInstanceUser

    -

    cr:GetMetadataNamespace

    -

    cr:GetMetadataNote

    -

    cr:GetMetadataOccurrence

    -

    cr:GetRecycleBinConfig

    -

    cr:GetRepoTagManifest

    -

    cr:GetRepositoryTag

    -

    cr:GetResourceQuota

    -

    cr:GetScanRule

    Gets a scan rule.

    cr:GetServiceAuthorization

    -

    cr:GetSignatureRule

    -

    cr:GetStorageDomainRoutingRule

    Gets instance storage domain routing rules.

    cr:GetSyncCustomLink

    -

    cr:GetUserInfo

    -

    cr:GetWebHook

    -

    cr:ListArtifactBuildDiagnosisResult

    -

    cr:ListArtifactBuildPhaseStatus

    -

    cr:ListArtifactBuildRule

    -

    cr:ListArtifactComponents

    -

    cr:ListArtifacts

    -

    cr:ListChartNamespace

    -

    cr:ListChartRepository

    -

    cr:ListCloudProductAuth

    -

    cr:ListDiagnosisTask

    -

    cr:ListInstanceFlowControlRule

    -

    cr:ListInstanceUser

    -

    cr:ListMetadataNotes

    -

    cr:ListMetadataOccurrences

    -

    cr:ListUserBucket

    -

    cr:ListUserVpc

    -

    cr:RevokeInstanceUserLoginPassword

    -

    cr:StopChainInstance

    -

    cr:UpdateArtifactBuildRule

    -

    cr:UpdateExemptVul

    -

    cr:UpdateMetadataNote

    -

    cr:UpdateMetadataOccurrence

    -

    cr:UpdateStorageDomainRoutingRule

    Updates an instance storage domain routing rule.

    cr:UpdateSyncCustomLink

    -

    cr:UpdateSyncRule

    -

    cr:UpdateUserInfo

    -

    For Actions that do not support resource group-level authorization, setting the resource scope to Resource Group Level has no effect. If a RAM User requires these permissions, create a custom policy and set the resource scope to Account Level.

    image.pngThe following are two examples of custom policies. Adjust the policy content as needed.

    • To allow all read-only Actions that do not support resource group-level authorization, list them in the Action element.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cr:GetAccessVpcLink",
        "cr:GetClusterImageAnalysisTask",
        "cr:GetDiagnosisTask",
        "cr:GetImageWorkloadAnalysisTask",
        "cr:GetInstanceFlowControlRule",
        "cr:GetInstanceHideAuthDomainStatus",
        "cr:GetInstanceMigrateRule",
        "cr:GetInstanceUser",
        "cr:GetMetadataNamespace",
        "cr:GetMetadataNote",
        "cr:GetMetadataOccurrence",
        "cr:GetRecycleBinConfig",
        "cr:GetRepoTagManifest",
        "cr:GetRepositoryTag",
        "cr:GetResourceQuota",
        "cr:GetScanRule",
        "cr:GetServiceAuthorization",
        "cr:GetSignatureRule",
        "cr:GetStorageDomainRoutingRule",
        "cr:GetSyncCustomLink",
        "cr:GetUserInfo",
        "cr:GetWebHook",
        "cr:ListArtifactBuildDiagnosisResult",
        "cr:ListArtifactBuildPhaseStatus",
        "cr:ListArtifactBuildRule",
        "cr:ListArtifactComponents",
        "cr:ListArtifacts",
        "cr:ListChartNamespace",
        "cr:ListChartRepository",
        "cr:ListCloudProductAuth",
        "cr:ListDiagnosisTask",
        "cr:ListInstanceFlowControlRule",
        "cr:ListInstanceUser",
        "cr:ListMetadataNotes",
        "cr:ListMetadataOccurrences",
        "cr:ListUserBucket",
        "cr:ListUserVpc"
      ],
      "Resource": "*"
    }
  ]
}

    • To allow all Actions that do not support resource group-level authorization, list them in the Action element.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cr:CancelArtifactDeleteTagTask",
        "cr:CancelArtifactSubscriptionTask",
        "cr:CancelDiagnosisTask",
        "cr:CancelRepoSyncTask",
        "cr:CreateArtifactBuildDiagnosisTask",
        "cr:CreateArtifactBuildPhaseStatusTask",
        "cr:CreateCloudProductAuth",
        "cr:CreateClusterImageAnalysisTask",
        "cr:CreateImageWorkloadAnalysisTask",
        "cr:CreateInstanceFlowControlRule",
        "cr:CreateMetadataNamespace",
        "cr:CreateMetadataNote",
        "cr:CreateMetadataOccurrence",
        "cr:CreateStorageDomainRoutingRule",
        "cr:CreateUserInfo",
        "cr:DeleteCloudProductAuth",
        "cr:DeleteExemptVul",
        "cr:DeleteInstance",
        "cr:DeleteInstanceFlowControlRule",
        "cr:DeleteInstanceMigrateRule",
        "cr:DeleteStorageDomainRoutingRule",
        "cr:DeleteSyncCustomLink",
        "cr:DisableInstanceHideAuthDomain",
        "cr:EnableInstanceHideAuthDomain",
        "cr:EnableRecycleBin",
        "cr:GetAccessVpcLink",
        "cr:GetClusterImageAnalysisTask",
        "cr:GetDiagnosisTask",
        "cr:GetImageWorkloadAnalysisTask",
        "cr:GetInstanceFlowControlRule",
        "cr:GetInstanceHideAuthDomainStatus",
        "cr:GetInstanceMigrateRule",
        "cr:GetInstanceUser",
        "cr:GetMetadataNamespace",
        "cr:GetMetadataNote",
        "cr:GetMetadataOccurrence",
        "cr:GetRecycleBinConfig",
        "cr:GetRepoTagManifest",
        "cr:GetRepositoryTag",
        "cr:GetResourceQuota",
        "cr:GetScanRule",
        "cr:GetServiceAuthorization",
        "cr:GetSignatureRule",
        "cr:GetStorageDomainRoutingRule",
        "cr:GetSyncCustomLink",
        "cr:GetUserInfo",
        "cr:GetWebHook",
        "cr:ListArtifactBuildDiagnosisResult",
        "cr:ListArtifactBuildPhaseStatus",
        "cr:ListArtifactBuildRule",
        "cr:ListArtifactComponents",
        "cr:ListArtifacts",
        "cr:ListChartNamespace",
        "cr:ListChartRepository",
        "cr:ListCloudProductAuth",
        "cr:ListDiagnosisTask",
        "cr:ListInstanceFlowControlRule",
        "cr:ListInstanceUser",
        "cr:ListMetadataNotes",
        "cr:ListMetadataOccurrences",
        "cr:ListUserBucket",
        "cr:ListUserVpc",
        "cr:RevokeInstanceUserLoginPassword",
        "cr:StopChainInstance",
        "cr:UpdateArtifactBuildRule",
        "cr:UpdateExemptVul",
        "cr:UpdateMetadataNote",
        "cr:UpdateMetadataOccurrence",
        "cr:UpdateStorageDomainRoutingRule",
        "cr:UpdateSyncCustomLink",
        "cr:UpdateSyncRule",
        "cr:UpdateUserInfo"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM User or RAM role with account-level permissions can operate on all resources in the account. To follow the principle of least privilege, grant only the necessary permissions.

    FAQ

    Find a resource's resource group

    • Method 1: Click a resource's name to open its details page, where you can find its resource group.

    • Method 2: Log on to the Resource Management console, click Resource Center > Resource Search, select the account that owns the target resource in the left-side pane (Current Account is selected by default), and use the filter conditions to locate the target resource to view its resource group.

    View product resources in a resource group

    • Method 1: Log on to the Resource Management console, and click Resource Center > Resource Search. Then, in the left-side navigation pane, click the name of the target resource group under the account section, which defaults to the Current Account. Finally, in the Select Resource Type section on the right, select the product to view all of its resources in the resource group.

    • Method 2: Log on to the Resource Management console, click Resource Group > Resource Group, find the target resource group, and then click Manage Resources in the Actions column for the group. Finally, on the Manage Resources page, select a product from the Product drop-down list at the top of the page to view all resources of the product in the resource group.

    Move resources to another resource group

    Log on to the Resource Management console, click Resource Group > Resource Group, and in the Actions column of the target resource group, click Resource Management to open the resource management page. On the resource management page, use the filters to locate multiple target resources, select the checkboxes in the first column, click Transfer Resource Group at the bottom, and then follow the on-screen instructions to change the resource group.