Use Resource Access Management (RAM) to grant RAM users different levels of access to image repositories in Container Registry. For temporary access, use Security Token Service (STS) to issue short-lived credentials.
Prerequisites
Before you begin, ensure that you have:
-
A RAM user created under your Alibaba Cloud account. See Create a RAM user
Background
By default, an Alibaba Cloud account has full access to all resources it owns. RAM and STS let you grant scoped permissions on image resources to RAM users — either persistently or temporarily — without sharing your account credentials.
Before configuring authorization policies, read the RAM documentation.
After you configure authorization policies for a RAM user, the RAM user must log on to the Container Registry console, create a Container Registry Personal Edition instance, and set a registry password before they can access images.
Security best practices
Follow the principle of least privilege: grant only the permissions a RAM user needs to complete their task.
-
Start with system policies. The built-in system policies cover the most common use cases. Move to custom policies only when you need finer-grained control.
-
Avoid AdministratorAccess for container workloads. A RAM user with AdministratorAccess has full access to all Container Registry resources, overriding any other permission boundaries.
Choose a policy type
| Scenario | Recommended policy |
|---|---|
| Grant full or read-only access across all repositories | System policy |
| Restrict access to a specific namespace or repository | Custom policy |
Attach a system policy to a RAM user
Container Registry includes two built-in system policies:
-
AliyunContainerRegistryFullAccess — grants the same permissions as the Alibaba Cloud account owner. The RAM user can perform all operations on all image resources.
{ "Statement": [ { "Action": "cr:*", "Effect": "Allow", "Resource": "*" } ], "Version": "1" } -
AliyunContainerRegistryReadOnlyAccess — grants read-only access to all image resources. The RAM user can view the repository list and pull images.
{ "Statement": [ { "Action": [ "cr:Get*", "cr:List*", "cr:PullRepository" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
The following steps attach AliyunContainerRegistryReadOnlyAccess to a RAM user as an example. Repeat the same steps to attach AliyunContainerRegistryFullAccess.
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, find the target RAM user and click Add Permissions in the Actions column. To grant permissions to multiple RAM users at once, select them and click Add Permissions at the bottom of the page.
-
In the Grant Permission panel, configure the following settings:
-
Set Resource Scope:
-
Account — permissions apply to the current Alibaba Cloud account.
-
ResourceGroup — permissions apply to a specific resource group. Make sure Container Registry supports resource groups. See Services that work with Resource Group.
-
-
Confirm the principal (the RAM user to receive permissions). By default, this is the RAM user you selected. Change it if needed.
-
In the Policy search box, enter AliyunContainerRegistryReadOnlyAccess and select the policy from the results.
-
Click Grant permissions.
-
-
Click Close.
Create and attach a custom policy
Use custom policies when you need permissions scoped to a specific namespace or repository.
How permissions are scoped
All resource-level permissions in Container Registry use the Alibaba Cloud Resource Name (ARN) format:
| Resource | ARN format |
|---|---|
| repository | acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname |
| Parameter | Description |
|---|---|
regionid |
The region ID. Use * to match all regions. |
accountid |
The Alibaba Cloud account ID. Use * to match any account. |
namespacename |
The namespace name. |
repositoryname |
The repository name. |
Policy examples
The following examples cover three common scenarios. Pick the one that matches your use case and adjust the namespace or repository name before creating the policy.
Scenario 1: Read access to a namespace
Grants a RAM user permission to pull all images in the juzhong namespace and view namespace and repository metadata via API.
{
"Statement": [
{
"Action": [
"cr:Get*",
"cr:List*",
"cr:PullRepository"
],
"Effect": "Allow",
"Resource": [
"acs:cr:*:*:repository/juzhong/*"
]
}
],
"Version": "1"
}With this policy, the RAM user can pull images from juzhong but cannot see other namespaces in the Container Registry console. To allow the RAM user to view all namespaces and repositories in the console (while still pulling only from juzhong), add the following statement to the policy:
{
"Action": [
"cr:ListNamespace",
"cr:ListRepository"
],
"Effect": "Allow",
"Resource": [
"*"
]
}Scenario 2: Full access to a single repository
Grants a RAM user full control over the nginx repository in the juzhong namespace, China (Hangzhou) region.
{
"Statement": [
{
"Action": [
"cr:*"
],
"Effect": "Allow",
"Resource": [
"acs:cr:cn-hangzhou:*:repository/juzhong/nginx"
]
},
{
"Action": [
"cr:Get*",
"cr:List*"
],
"Effect": "Allow",
"Resource": [
"acs:cr:*:*:repository/juzhong"
]
}
],
"Version": "1"
}To let the RAM user manage repositories in the Container Registry console, add the console-visibility statement from Scenario 1.
Scenario 3: Full access to a namespace
Grants a RAM user full control over the juzhong namespace in the China (Hangzhou) region.
This configuration takes effect only via API. To view repositories in the Container Registry console, add the console-visibility statement from Scenario 1.
{
"Statement": [
{
"Action": [
"cr:*"
],
"Effect": "Allow",
"Resource": [
"acs:cr:cn-hangzhou:*:repository/juzhong",
"acs:cr:cn-hangzhou:*:repository/juzhong/*"
]
}
],
"Version": "1"
}Step 1: Create the custom policy
-
Log on to the RAM console with your Alibaba Cloud account.
-
Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account.
-
In the left-side navigation pane, choose Permissions > Policies.
-
On the Policies page, click Create Policy.
-
On the Create Policy page, click the JSON tab and paste your policy document into the editor. For the
ActionandResourceparameter syntax, see Authentication rules for Container Registry. For general policy syntax, see Policy structure and syntax. -
Click OK. In the Create Policy dialog box, configure the Policy Name and Description parameters.
Step 2: Attach the policy to a RAM user
-
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Grant Permission panel:
-
Set the authorization scope (Account or ResourceGroup). > Note: If you select ResourceGroup, make sure Container Registry supports resource groups. See Services that work with Resource Group.
-
Confirm the principal (the RAM user to receive permissions).
-
From the All Types drop-down list, select Custom Policy. Search for your policy by name and select it.
-
Click Grant permissions.
-
-
Click Close.
Authentication rules for Container Registry
When writing custom policies, use the ARN format described in How permissions are scoped to identify the Resource. Use cr: prefixed action names in the Action field.
Common action patterns:
| Action | Description |
|---|---|
cr:* |
All operations |
cr:Get* |
All read (Get) operations |
cr:List* |
All list operations |
cr:PullRepository |
Pull images from a repository |
cr:ListNamespace |
List namespaces |
cr:ListRepository |
List repositories |