Reference of permissions and resource ARNs for RAM authorization - Container Registry

This page lists the Alibaba Cloud Resource Name (ARN) formats and API-to-action mappings for Container Registry (ACR). Use it to look up the correct Action and Resource values when writing Resource Access Management (RAM) policy statements.

ARN formats

The following table lists the ARN format for each resource type. Use the ARN in the Resource element of a policy statement.

Resource type	ARN format
All resources	`acs:cr:$regionid:$accountid:*`
Instance	`acs:cr:$regionid:$accountid:instance/$instanceid`
Repository (all in instance)	`acs:cr:$regionid:$accountid:repository/$instanceid/*`
Repository (instance scope)	`acs:cr:$regionid:$accountid:repository/$instanceid`
Repository (all in namespace)	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*`
Repository (specific)	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`
Namespace	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename`
Chart namespace (all in instance)	`acs:cr:$regionid:$accountid:chart/$instanceid/*`
Chart namespace (instance scope)	`acs:cr:$regionid:$accountid:chart/$instanceid`
Chart repository (all in namespace)	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*`
Chart namespace (specific)	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename`
Chart repository (specific)	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`

ARN parameters

Parameter	Description
`$regionid`	Region ID. Replace with `*` to match all regions.
`$accountid`	Alibaba Cloud account ID. Replace with `*` to match all accounts.
`$instanceid`	ID of the Container Registry Enterprise Edition instance.
`$namespacename`	Name of the namespace.
`$repositoryname`	Name of the image repository.
`$chartnamespacename`	Name of the chart namespace.
`$chartrepositoryname`	Name of the chart repository.

API authentication rules

When a RAM user or Security Token Service (STS) caller invokes a Container Registry API, ACR verifies that the caller has the required permission. The table below maps each API operation to its required action and resource scope.

The columns are:

API: The API operation name.
Action: The permission string to include in the Action element of your policy statement.
Resource: The ARN pattern for the Resource element. * means the action is not resource-level and requires "Resource": "*".
Access level: Whether the action reads data (Read), lists resources (List), modifies resources (Write), or manages permissions (Permissions management).

Note

Note: * is used as a wildcard in both ARN patterns and the Resource column.

Instance

API	Action	Resource	Access level
GetInstance	`cr:GetInstance`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Read
GetInstanceCount	`cr:ListInstance`	`*`	List
GetInstanceEndpoint	`cr:GetInstanceEndpoint`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Read
GetInstanceUsage	`cr:GetInstanceUsage`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Read
GetInstanceVpcEndpoint	`cr:GetInstanceVpcEndpoint`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Read
ListInstance	`cr:ListInstance`	`*`	List
ListInstanceEndpoint	`cr:ListInstanceEndpoint`	`acs:cr:$regionid:$accountid:repository/$instanceid`	List
CreateInstanceEndpointAclPolicy	`cr:CreateInstanceEndpointAclPolicy`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Write
CreateInstanceVpcEndpointLinkedVpc	`cr:CreateInstanceVpcEndpointLinkedVpc`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Write
DeleteInstanceEndpointAclPolicy	`cr:DeleteInstanceEndpointAclPolicy`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Write
DeleteInstanceVpcEndpointLinkedVpc	`cr:DeleteInstanceVpcEndpointLinkedVpc`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Write
UpdateInstanceEndpointStatus	`cr:UpdateInstanceEndpointStatus`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Write
GetArtifactBuildRule	`cr:GetArtifactBuildRule`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Read
GetPersonalInstanceDomainAccessStatus	`cr:GetPersonalInstanceDomainAccessStatus`	`acs:cr:$regionid:$accountid:instance/$instanceid`	Read
ListRepositoryVulTagCount	`cr:ListRepoVulTagCount`	`acs:cr:$regionid:$accountid:instance/$instanceid`	List

Namespace

API	Action	Resource	Access level
GetNamespace	`cr:GetNamespace`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename`	Read
ListNamespace	`cr:ListNamespace`	`acs:cr:$regionid:$accountid:repository/$instanceid/*`	List
CreateNamespace	`cr:CreateNamespace`	`acs:cr:$regionid:$accountid:repository/$instanceid`	Write
DeleteNamespace	`cr:DeleteNamespace`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename`	Write
UpdateNamespace	`cr:UpdateNamespace`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename`	Write

Repository

API	Action	Resource	Access level
GetRepository	`cr:GetRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListRepository	`cr:ListRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*`	List
CreateRepository	`cr:CreateRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename`	Write
DeleteRepository	`cr:DeleteRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
UpdateRepository	`cr:UpdateRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Image tags and layers

API	Action	Resource	Access level
GetRepoTagLayers	`cr:GetRepositoryLayers`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
GetRepoTagManifest	`cr:GetRepositoryManifest`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListRepoTag	`cr:ListRepositoryTag`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
DeleteRepoTag	`cr:DeleteRepositoryTag`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Pull, push, and authorization

API	Action	Resource	Access level
GetAuthorizationToken	`cr:GetAuthorizationToken`	`*`	Read
PullRepository	`cr:PullRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
PushRepository	`cr:PushRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Build

API	Action	Resource	Access level
GetRepoBuildRecord	`cr:GetRepositoryBuildRecord`	`acs:cr:$regionid:$accountid:repository/$instanceid`	Read
GetRepoBuildRecordStatus	`cr:GetBuildRepositoryStatus`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListRepoBuildRecord	`cr:ListRepositoryBuild`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
ListRepoBuildRecordLog	`cr:GetRepositoryBuildLog`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListRepoBuildRule	`cr:ListRepositoryBuildRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
CancelRepoBuildRecord	`cr:CancelBuildRepository`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
CreateBuildRecordByRule	`cr:BuildRepositoryByRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
CreateRepoBuildRule	`cr:CreateRepositoryBuildRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
DeleteRepoBuildRule	`cr:DeleteRepositoryBuildRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
UpdateRepoBuildRule	`cr:UpdateRepositoryBuildRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Sync

API	Action	Resource	Access level
GetRepoSyncTask	`cr:GetRepositorySync`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListRepoSyncRule	`cr:ListSyncRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
ListRepoSyncTask	`cr:GetRepositorySync`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
CreateRepoSyncRule	`cr:CreateSyncRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
CreateRepoSyncTaskByRule	`cr:CreateRepositorySync`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
DeleteRepoSyncRule	`cr:DeleteSyncRule`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Triggers (webhooks)

API	Action	Resource	Access level
ListRepoTrigger	`cr:ListWebHook`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
ListRepoTriggerLog	`cr:GetWebHookLog`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListRepoTriggerRecord	`cr:GetWebHookLog`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
CreateRepoTrigger	`cr:CreateWebHook`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
DeleteRepoTrigger	`cr:DeleteWebHook`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write
UpdateRepoTrigger	`cr:UpdateWebHook`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Vulnerability scanning

API	Action	Resource	Access level
GetRepoTagScanTask	`cr:GetScan`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
GetScan	`cr:GetScan`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
GetScanStatus	`cr:GetScanStatus`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
GetScanCount	`cr:GetScanCount`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Read
ListScanResult	`cr:ListScanResult`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	List
PutScan	`cr:PutScan`	`acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname`	Write

Helm charts

API	Action	Resource	Access level
GetChartNamespace	`cr:GetNamespace`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename`	Read
GetChartRepository	`cr:GetRepository`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	Read
ListChartNamespace	`cr:ListNamespace`	`acs:cr:$regionid:$accountid:chart/$instanceid/*`	List
ListChartRelease	`cr:ListChartRelease`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	List
ListChartRepository	`cr:ListRepository`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*`	List
CreateChartNamespace	`cr:CreateNamespace`	`acs:cr:$regionid:$accountid:chart/$instanceid`	Write
DeleteChartNamespace	`cr:DeleteNamespace`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename`	Write
DeleteChartRelease	`cr:DeleteChartRelease`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	Write
DeleteChartRepository	`cr:DeleteRepository`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	Write
UpdateChartNamespace	`cr:UpdateNamespace`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename`	Write
UpdateChartRepository	`cr:UpdateRepository`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	Write
PullChart	`cr:PullChart`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	Read
PushChart	`cr:PushChart`	`acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname`	Write