Synchronize instances across accounts to replicate container images - Container Registry

Limitations

The source instance must be a Premium Edition instance. The destination instance can be a Basic or Premium Edition instance.
Replication from public cloud regions to non-public cloud regions—such as Alibaba Finance Cloud and Alibaba Gov Cloud—is not supported.
In some regions, only custom sync links are supported due to special restrictions (for example, no public network access for Object Storage Service (OSS) buckets).

How it works

Cross-account instance sync requires configuration in both accounts:

Account	Role	Action required
Account B (destination)	Grants permission	Creates a RAM role and access policy that allows Account A to replicate images into its instance
Account A (source)	Initiates replication	Creates a sync rule that targets Account B's instance

This split authorization model means Account B controls which accounts can push images into its instance, and Account A controls when and what to replicate.

Automatically sync instances across accounts

Configure a sync rule in Account A to replicate images automatically whenever they are pushed to the source instance.

Important

Automatic sync applies only to images pushed after the sync rule is created. Images already in the source instance are not replicated.

Small number of images: Replicate them manually. See Manually sync instances across accounts or the CreateRepoSyncTask API.
Large number of images: Use the OSS replication + ACR image import approach: 1. Copy all files from the source instance's OSS bucket to the destination instance's OSS bucket. See Data replication. 2. Create an import rule, set the migration source to the OSS bucket, and start an image import task.

Before you begin

Gather the following before starting:

The UIDs of Account A and Account B.

If either account is a RAM user, use the UID of the Alibaba Cloud account the RAM user belongs to—not the RAM user's own UID.
The region and ID of the destination instance in Account B. Log on to the Container Registry consoleContainer Registry consoleContainer Registry console. On the Instances page, select the region and click the target Enterprise Edition instance. On the Overview page, find the Instance ID in the Instance Information section.

Confirm the sync level and naming requirements:

Sync level	Requirements
Namespace	Source and destination instances must have a namespace with the same name. Automatic repository creation must be enabled in the destination namespace. See Create a namespace.
Repository	Source and destination instances must have a namespace and an image repository with the same name.

Step 1: Grant permissions (Account B)

Log on with Account B and perform the following steps to allow Account A to replicate images into Account B's instance.

1. Create a RAM role.

Note

The role name must be exactly aliyuncontainerregistrycrossaccoutsyncrole (including the typo). The sync feature looks up this exact name.

Log on to the Resource Access Management (RAM) console with Account B.
In the left navigation pane, choose Identity Management > Roles, then click Create Role.
Set Principal Type to Cloud Account, specify an Alibaba Cloud account, and click OK.
Enter aliyuncontainerregistrycrossaccoutsyncrole as the role name, then click OK.

2. Create an access policy.

In the left navigation pane, choose Permission Management > Policies, then click Create Policy.

Click the JSON tab. Replace the Resource field values in the policy below with your destination instance details, paste the policy into the editor, and click Next: Edit Basic Information. Enter a Policy Name and a Note.

The Resource field format is: acs:cr:<region of destination instance>:<UID of Account B>:instance/<ID of destination instance>. If Account B is a RAM user, use the UID of the Alibaba Cloud account the RAM user belongs to.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:CreateSyncRule",
                "cr:CreateRepositorySync"
            ],
            "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cr:CreateSyncRule",
                "cr:CreateRepositorySync"
            ],
            "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****"
        }
    ],
    "Version": "1"
}

3. Attach the policy to the RAM role.

On the Policies page, click the name of the policy you created.
Click the References tab, then click Add Authorization.
In the Add Permissions panel, set Authorized Scope to Account Level, set Principal to aliyuncontainerregistrycrossaccoutsyncrole, and click OK.
Click Close.

4. Update the trust policy of the RAM role.

In the left navigation pane, choose Identity Management > Roles.
Click aliyuncontainerregistrycrossaccoutsyncrole.
Click the Trust Policy tab, then click Edit Trust Policy.
Replace the Service field value with Account A's UID in the format <UID of Account A>@cr.aliyuncs.com, paste the updated policy into the editor, and click Save Trust Policy.

If Account A is a RAM user, use the UID of the Alibaba Cloud account the RAM user belongs to.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "125287961064****@cr.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```

Step 2: Create a sync rule (Account A)

Log on to the Container Registry consoleContainer Registry consoleContainer Registry console with Account A.
In the top navigation bar, select a region.
In the left navigation pane, click Instances.
Click the Enterprise Edition instance you want to manage.
In the left navigation pane, go to Distribution > Instance Sync, then click Create Rule.

In the Instance Information step, set the following parameters and click Next.

Parameter	Description
Rule name	Enter a name for the sync rule.
Sync scenario	Select Cross-account.
Destination UID	Enter the UID of the account that owns the destination instance.
Destination instance	Select the destination instance's region and enter its instance ID.

In the Sync Information step, set Sync Level to either namespace or repository. Select the target namespace or repository, set a filtering rule for the image version, and click Create Sync Rule.

Verify automatic sync

Go to Distribution > Sync Records. If the sync task status shows Successful and the image is available in the destination instance, the sync rule is working correctly.

Manually sync instances across accounts

Manually trigger image replication from Account A's instance to Account B's instance for individual image versions.

Before you begin

Complete the steps in Before you begin and Step 1: Grant permissions (Account B). Account permissions must be configured before manual replication can proceed.

Replicate an image

Log on to the Container Registry consoleContainer Registry consoleContainer Registry console with Account A.
In the top navigation bar, select a region.
In the left navigation pane, click Instances.
Click the Enterprise Edition instance you want to manage.
In the left navigation pane, go to Repository > Repositories.
Click the name of the target image repository.
In the left navigation pane, click Image Versions. Find the target image and click Sync in the Actions column.
In the Image Sync dialog box, set Sync Scenario to Cross-account. Enter the destination account UID, destination instance ID, destination namespace, destination repository name, and image version. Click OK.

Verify manual sync

Go to Distribution > Sync Records. If the status shows Successful and the image is available in the destination instance, the replication completed successfully.

What's next

To upgrade a Basic Edition instance to Premium Edition, click Upgrade in the lower-right corner of the instance card on the Container Registry consoleContainer Registry consoleContainer Registry console.
To sync images across regions within the same account, see Sync images within the same account.