All Products
Search

This Product

    Container Registry:Grant a system policy to a RAM user

    Document Center

    Container Registry:Grant a system policy to a RAM user

    Last Updated:Apr 29, 2026

    Alibaba Cloud provides Resource Access Management and Security Token Service (STS) to help you manage permissions with flexibility and security. This topic describes how to grant a system policy to a RAM user.

    Prerequisites

    Before you begin, ensure that you have:

    Background information

    By default, an Alibaba Cloud account has full permissions to its own resources. With Resource Access Management (RAM) and Security Token Service (STS), you can grant different RAM users varying levels of access to your image resources and provide temporary access credentials. Before you configure authorization policies, we recommend that you read the RAM product documentation.

    Important

    After you grant a policy to a RAM user, the RAM user must log in to the Container Registry console, create a Personal Edition instance, and set a registry password to view their permitted image resources.

    RAM

    When using RAM to grant permissions, note the following to avoid granting excessive permissions.

    Important

    If you grant the AdministratorAccess policy to a RAM user, the user receives full permissions on all Alibaba Cloud resources, including Container Registry. This permission set overrides any previously granted Container Registry-specific policies.

    System policies

    Container Registry provides two built-in system policies: AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess. You can grant them directly to users.

    • AliyunContainerRegistryFullAccess

      A RAM user with this policy has the same permissions on image resources as an Alibaba Cloud account and can perform any operation.

      {
  "Statement": [
    {
      "Action": "cr:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

    • AliyunContainerRegistryReadOnlyAccess

      A RAM user with this policy has read-only permissions on all image resources. For example, they can view repository lists and pull images.

      {
  "Statement": [
    {
      "Action": [
        "cr:Get*",
        "cr:List*",
        "cr:Pull*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

    Procedure

    This section describes how to grant the AliyunContainerRegistryReadOnlyAccess policy to a RAM user.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user and click Actions in the Attach Policy column.

      Alternatively, you can select multiple RAM users and click Attach Policy at the bottom of the list to grant permissions to them all at once.

    4. Authorize

      1. Select an authorization scope.

        • Account: The permissions apply within the current Alibaba Cloud account.

        • resource: The permissions apply within the specified resource group.

          Note

          To grant permissions at the resource group level, the cloud service must support resource groups. For more information, see Services that support resource groups.

      2. Specify the principal.

        The principal is the user who will receive the permissions. The RAM user you selected is automatically specified as the principal.

      3. In the Policies search box, search for AliyunContainerRegistryReadOnlyAccess, and then click AliyunContainerRegistryReadOnlyAccess in the results list.

      4. Click OK.

    5. Click Off.

    Related documentation