Alibaba Cloud allows you to use Resource Access Management (RAM) and Security Token Service (STS) to control access to repositories in a flexible and secure way. This topic describes how to configure access control for repositories in different scenarios.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

By default, an Alibaba Cloud account has full access permissions on the resources that belong to the account. You can use RAM and STS to grant different permissions on image resources to different RAM users and provide temporary access permissions. Before you configure authorization policies, read RAM documentation.
Notice After you configure authorization policies for a RAM user, you must use the RAM user to log on to the Container Registry console, create a Personal Edition instance, and set a password for the Container Registry instance before you can view the images on which the RAM user has permissions.

RAM authorization

When you authorize a RAM user, pay attention to the following instructions to make sure that you do not grant excessive permissions to the RAM user.

You may grant a RAM user the AdministratorAccess permission that contains management permissions on all Alibaba Cloud resources. In this case, the RAM user has all permissions on Container Registry, regardless of whether the RAM user is granted permissions before.

Attach system policies to a RAM user

By default, the AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess policies are created for Container Registry. You can directly attach the policies to a RAM user. The following part describes the two system policies:
  • AliyunContainerRegistryFullAccess

    This policy grants a RAM user the same permissions on image resources as those of an Alibaba Cloud account. The RAM user can perform all operations on image resources.

    {
      "Statement": [
        {
          "Action": "cr:*",
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }
                        
  • AliyunContainerRegistryReadOnlyAccess

    This policy grants a RAM user the read-only permissions on all image resources. For example, the RAM user can view the repository list and pull images.

    {
      "Statement": [
        {
          "Action": [
            "cr:Get*",
            "cr:List*",
            "cr:Pull*"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "1"
    }               

The following example shows how to attach the AliyunContainerRegistryReadOnlyAccess policy to a RAM user:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on a specific resource group.
        Note If you select Specific Resource Group as the authorization scope, make sure that the Alibaba Cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. In the Select Policy section, click System Policy, enter AliyunContainerRegistryReadOnlyAccess in the field, and then click AliyunContainerRegistryReadOnlyAccess.
    4. Click OK.
  5. Click Complete.

Attach custom policies to a RAM user

If you want to enforce fine-grained control on permissions, you can create custom policies and attach the custom policies to RAM users. The following example describes how to grant to a RAM user the read and write permissions on a namespace of a Container Registry Enterprise Edition instance. This way, the example explains how to attach a custom policy.

  1. Create a custom policy.
    1. Use your Alibaba Cloud account to log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. On the Create Policy page, click the JSON tab, copy the following policy content to the code editor, and then replace instanceid and namespace in the policy content with your actual values. Click Next to edit basic information.
      If you want to grant more permissions to a RAM user, configure the Action and Resource parameters by referring to Authentication rules for Container Registry when you edit the policy content. For more information about the policy syntax, see Policy structure and syntax.
      Note The asterisk (*) is used as a wildcard. For example, if you set the Action parameter to cr:ListInstance*, RAM grants to the RAM user the permissions of performing all actions that start with cr:ListInstance. If you replace acs:cr:*:*:repository/$instanceid/$namespace/* with acs:cr:*:*:repository/cri-123456/ns/*, RAM grants to the RAM user all the permissions on the ns namespaces of the instances whose IDs are cri-123456 in all regions.
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "cr:ListInstance*",
                      "cr:GetInstance*",
                      "cr:ListSignature*"
                  ],
                  "Resource": "*"
              },
              {
                  "Action": [
                      "cr:*"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                      "acs:cr:*:*:repository/$instanceid/$namespace/*",
                      "acs:cr:*:*:repository/$instanceid/$namespace"
                  ]
              },
              {
                  "Action": [
                      "cr:List*"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                      "acs:cr:*:*:repository/$instanceid/*",
                      "acs:cr:*:*:repository/$instanceid/*/*"
                  ]
              }
          ],
          "Version": "1"
      }
    5. Enter values for the Name and Note parameters.
    6. Click OK.
  2. Attach the custom policy to a RAM user
    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. In the left-side navigation pane, choose Identities > Users.
    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
    4. In the Add Permissions panel, grant permissions to the RAM user.
      1. Select the authorization scope.
        • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
        • Specific Resource Group: The authorization takes effect on a specific resource group.
          Note If you select Specific Resource Group as the authorization scope, make sure that the Alibaba Cloud service supports resource groups. For more information, see Services that work with Resource Group.
      2. Specify the principal.

        The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.

      3. In the Select Policy section, click Custom Policy, enter the name of the custom policy in the field, and then click the custom policy.
      4. Click OK.
    5. Click Complete.
  3. Log on to the Container Registry console as a RAM user.
    You can perform operations such as building images in, pushing images to, and pulling images from the namespaces on which you are granted permissions in the Container Image console.

Authentication rules for Container Registry

  • ARN format
    The following table describes the Alibaba Cloud Resource Name (ARN) format in an authorization policy when you use RAM to authorize access to the resources.
    Resource type ARN format in an authorization policy
    * acs:cr:$regionid:$accountid:*
    instance acs:cr:$regionid:$accountid:instance/$instanceid
    repository

    acs:cr:$regionid:$accountid:repository/$instanceid/*

    acs:cr:$regionid:$accountid:repository/$instanceid

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename

    chart

    acs:cr:$regionid:$accountid:chart/$instanceid/*

    acs:cr:$regionid:$accountid:chart/$instanceid

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname

    The following table describes the parameters in the ARN format.
    Parameter Description
    regionid The ID of the region, which can be replaced by asterisks (*).
    accountid The ID of the Alibaba Cloud account, which can be replaced by asterisks (*).
    instanceid The ID of the Container Registry Enterprise Edition instance.
    namespacename The name of the namespace.
    repositoryname The name of the image repository.
    chartnamespacename The name of the chart namespace.
    chartrepositoryname The name of the chart repository.
  • Authorization rules
    When you access the Container Registry API as a RAM user or by using Security Token Service (STS), Container Registry checks whether you have obtained the required permissions. The permissions that Container Registry checks vary based on the resources that are requested by the API operation and the syntax of the API operation. The following table describes the authentication rules for different API operations.
    Note The asterisk (*) is used as a wildcard.
    API operation Action Resource
    GetAuthorizationToken cr:GetAuthorizationToken *
    GetChartNamespace cr:GetNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    GetChartRepository cr:GetRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    GetInstance cr:GetInstance acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceCount cr:ListInstance *
    GetInstanceEndpoint cr:GetInstanceEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceUsage cr:GetInstanceUsage acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceVpcEndpoint cr:GetInstanceVpcEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetNamespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    GetRepoBuildRecord cr:GetRepositoryBuildRecord acs:cr:$regionid:$accountid:repository/$instanceid
    GetRepoBuildRecordStatus cr:GetBuildRepositoryStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagLayers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagManifest cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagScanTask cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepository cr:GetRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListChartNamespace cr:ListNamespace acs:cr:$regionid:$accountid:chart/$instanceid/*
    ListChartRelease cr:ListChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    ListChartRepository cr:ListRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
    ListInstance cr:ListInstance *
    ListInstanceEndpoint cr:ListInstanceEndpoint acs:cr:$regionid:$accountid:repository/$instanceid
    ListNamespace cr:ListNamespace acs:cr:$regionid:$accountid:repository/$instanceid/*
    ListRepoBuildRecord cr:ListRepositoryBuild acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRecordLog cr:GetRepositoryBuildLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRule cr:ListRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncRule cr:ListSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTag cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTrigger cr:ListWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerLog cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerRecord cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepository cr:ListRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
    CancelRepoBuildRecord cr:CancelBuildRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateBuildRecordByRule cr:BuildRepositoryByRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateChartNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:chart/$instanceid
    CreateInstanceEndpointAclPolicy cr:CreateInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    CreateInstanceVpcEndpointLinkedVpc cr:CreateInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    CreateNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:repository/$instanceid
    CreateRepoBuildRule cr:CreateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncRule cr:CreateSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncTaskByRule cr:CreateRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoTrigger cr:CreateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteChartNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    DeleteChartRelease cr:DeleteChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteChartRepository cr:DeleteRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteInstanceEndpointAclPolicy cr:DeleteInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteInstanceVpcEndpointLinkedVpc cr:DeleteInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteRepoBuildRule cr:DeleteRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoSyncRule cr:DeleteSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTrigger cr:DeleteWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateChartNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateChartRepository cr:UpdateRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    UpdateInstanceEndpointStatus cr:UpdateInstanceEndpointStatus acs:cr:$regionid:$accountid:instance/$instanceid
    UpdateNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateRepoBuildRule cr:UpdateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepoTrigger cr:UpdateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PullRepository cr:PullRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PushRepository cr:PushRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PullChart cr:PullChart acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    PushChart cr:PushChart acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    PutScan cr:PutScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetScan cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetScanStatus cr:GetScanStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListScanResult cr:ListScanResult acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetScanCount cr:GetScanCount acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname