Attach system policies to a RAM user - Container Registry

Use Resource Access Management (RAM) and Security Token Service (STS) to control which RAM users can access your container image repositories and what operations they can perform.RAM documentation

Prerequisites

Before you begin, ensure that you have:

A RAM user created under your Alibaba Cloud account. See Create a RAM user
RAM administrator access to the RAM console

Important

After you attach a policy to a RAM user, that user must log in to the Container Registry console, create a Personal Edition instance, and set a registry password before they can access any images.

System policies in Container Registry

Container Registry provides two built-in system policies. Attach the one that matches the level of access the RAM user needs.

Policy	What it allows	What it doesn't allow
AliyunContainerRegistryFullAccess	All operations on image resources — same as an Alibaba Cloud account	N/A (full access)
AliyunContainerRegistryReadOnlyAccess	View repository lists and pull images	Push, delete, or modify images and repositories

Policy definitions:

AliyunContainerRegistryFullAccess

{
  "Statement": [
    {
      "Action": "cr:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

AliyunContainerRegistryReadOnlyAccess

{
  "Statement": [
    {
      "Action": [
        "cr:Get*",
        "cr:List*",
        "cr:Pull*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Important

Granting a RAM user the AdministratorAccess policy gives that user full permissions on all Alibaba Cloud resources, including Container Registry, regardless of any other policies. Follow the principle of least privilege and avoid granting more permissions than necessary.

Attach a system policy

The following example attaches AliyunContainerRegistryReadOnlyAccess to a RAM user. You can attach any system policy using the same steps.

You can grant permissions in two ways:

Single user: Find the user on the Users page and click Add Permissions in the Actions column.
Multiple users: Select multiple users on the Users page, then click Add Permissions at the bottom of the page.

Steps:

Log in to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user, then click Add Permissions in the Actions column.
In the Grant Permission panel, configure the following settings:
1. Set Resource Scope:
  - Account: The permissions apply to all resources in your Alibaba Cloud account.
  - ResourceGroup: The permissions apply to a specific resource group.
  Note
  If you select ResourceGroup, make sure Container Registry supports resource groups. See Services that work with Resource Group.For more information, see Services that work with Resource Group.
2. Confirm the principal. By default, the current RAM user is selected. Change this if you are granting permissions to a different user.
3. In the Policy search box, enter AliyunContainerRegistryReadOnlyAccess and select it from the results.
4. Click Grant permissions.
Click Close.

What's next

To grant fine-grained permissions to RAM users, see Attach a custom policy to a RAM user.
For information about authentication rules, see RAM authentication rules.