Replicate images between instances that belong to different accounts - Container Registry

Container Registry allows you to replicate images between instances that belong to different Alibaba Cloud accounts. You can configure manual and automatic image replication between Container Registry instances that belong to different accounts regardless of the regions where the instances are deployed. This topic describes how to configure manual and automatic image replication between Container Registry instances that belong to different Alibaba Cloud accounts.

Prerequisites

The source instance is a Container Registry Advanced Edition instance. You cannot replicate images from a Container Registry Basic Edition instance. The destination instance can be a Container Registry Basic Edition or an Advanced Edition instance.

Note To upgrade a Container Registry Enterprise Edition instance, find the instance on the Instances page and click Upgrade in the lower-right corner.

Background information

You can configure replication between instances that belong to Alibaba Cloud accounts and Resource Access Management (RAM) users.

Automatically replicate images

You can configure a replication rule to automate image replication between two instances that belong to different accounts. After you upload an image to the source instance, the system automatically replicates the image to the destination instance. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.

Important Only images that are uploaded after the replication rule is configured can be automatically replicated between instances that belong to different accounts. Preexisting images cannot be replicated. For information about how to replicate preexisting images between instances that belong to different accounts, see Manually replicate images and CreateRepoSyncTask.

Preparations

You must obtain the following information before you set up replication between instances that belong to different accounts:

The IDs of Account A and Account B.

Note If your account is a RAM user, you must obtain the ID of the Alibaba Cloud account to which the RAM user belongs.
The region where the destination instance is deployed and the ID of the destination instance.
Log on to the Container Registry console, select the region in the top navigation bar of the Instances page, and click the Container Registry Enterprise Edition instance that you want to use as the destination instance. On the Overview page, you can find the region and ID of the instance in the Instance section.
Images can be automatically replicated between instances that belong to different accounts by namespace or repository.
- To replicate images by namespace, the source instance and destination instance must have the same namespace and repositories can be automatically created in the namespace of the destination instance. For more information about how to automatically create repositories, see Create a namespace.
- To replicate images by repository, the source and destination instance must have the same repository in the same namespace.

Step 1: Grant permissions to Account A

You must log on to the RAM console by using Account B and grant Account A the permissions to replicate images to instances that belong to Account B.

Create a RAM role named aliyuncontainerregistrycrossaccoutsyncrole.

Note You must set the name of the RAM role to aliyuncontainerregistrycrossaccoutsyncrole.
1. Log on to the RAM console by using Account B.
2. In the left-side navigation pane, choose Identities > Roles. On the right side of the page, click Create Role.
3. On the Select Role Type wizard page, select Alibaba Cloud Account as the trusted entity and click Next.
4. On the Configure Role wizard page, set RAM Role Name to aliyuncontainerregistrycrossaccoutsyncrole and click OK.
5. On the Finish wizard page, click Close.
Create a policy.
1. In the left-side navigation pane of the RAM console, choose Permissions > Policies. On the right side of the page, click Create Policy.
2. On the Create Custom Policy page, specify the Policy Name parameter, set Configuration Mode to Script, specify the actual value in the Resource field, and paste the following content into the code editor. Then, click OK.
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:CreateSyncRule",
                "cr:CreateRepositorySync"
            ],
            "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cr:CreateSyncRule",
                "cr:CreateRepositorySync"
            ],
            "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****"
        }
    ],
    "Version": "1"
}
```
  Resource: the resource that you want to authorize Account A to access. Specify the resource in the following format: acs:cr:<region where the destination instance of Account B is deployed>:<ID of Account B>:instance/<ID of the destination instance of Account B>.
  
  Note If Account B is a RAM user, set the ID of Account B in the Resource field to the ID of the Alibaba Cloud account to which the RAM user belongs.
Attach the policy to the aliyuncontainerregistrycrossaccoutsyncrole role.
1. On the Policies page, search for the policy that you created and click the name of the policy.
2. On the page that appears, click the References tab. Then, click Grant Permission.
3. In the Add Permissions panel, set Authorized Scope to Alibaba Cloud Account, select aliyuncontainerregistrycrossaccoutsyncrole as Principal, and click Custom Policy. Search for the policy that you created and click its name in the search result. Then, click OK.
4. Click Complete.
Modify the trust policy of aliyuncontainerregistrycrossaccoutsyncrole.
1. In the left-side navigation pane of the RAM console, choose Identities > Roles.
2. Search for aliyuncontainerregistrycrossaccoutsyncrole and click the role name in the search result.
3. Click the Trust Policy Management tab. Then, click Edit Trust Policy.
4. In the Edit Trust Policy panel, specify the actual value in the Service field, and paste the following content into the code editor. Then, click OK.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "125287961064****@cr.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
  Service: The object to whom you want to grant permissions. Specify the service in the following format: <ID of Account A>@cr.aliyuncs.com.
  
  Note If Account A is a RAM user, set ID of Account A in the Service field to the ID of the Alibaba Cloud account to which the RAM user belongs.

Step 2: Create a replication rule

Log on to the Container Registry console by using Account A.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the required Container Registry Enterprise Edition instance.
On the management page of your Container Registry Enterprise Edition instance, choose Distribution > Instance Replication in the left-side navigation pane. Then, click Create Rule on the right side of the page.

In the Create Rule dialog box, set the parameters on the Instance Information wizard page and click Next.


Parameter	Description
Rule Name	Enter a name for the replication rule.
Synchronization Scenario	Set Synchronization Scenario to Across Accounts.
Destination UID	Enter the ID of the account to which the destination instance belongs.
Destination Instance	Select the region where the destination instance is deployed and enter the ID of the destination instance.

On the Replication Information wizard page, set Replication Level to Namespace or Repository, select the namespace or repository, and enter a regular expression to filter repository versions. Then, click Create Rule.
On the management page of the Container Registry Enterprise Edition instance, choose Distribution > Replication Record. On the Replication Record page, you can find that the status of the replication task is Completed. If the image exists in the destination instance, automatic replication between instances that belong to different accounts is successful.

Manually replicate images

You can configure a replication rule to manually replicate an image between two instances that belong to different accounts. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.

Obtain the IDs of Account A and Account B, the region where the destination instance is deployed, and the ID of the destination instance. For more information, see the Preparations section in this topic.
You must log on to the RAM console by using Account B and grant Account A the permissions to replicate images to instances that belong to Account B. For more information, see Step 1 in this topic.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the required Container Registry Enterprise Edition instance.
In the left-side navigation pane of the Instance of Personal Edition page, choose Repository > Repositories.
On the Repositories page, click the name of the repository that you want to manage.
On the repository details page, click Tags in the left-side navigation pane. Find the image that you want to replicate and click Sync in the Actions column.
In the Sync dialog box, set Synchronization Scenario to Across Accounts, enter the ID of the account to which the destination instance belongs and the ID of the destination instance, select the namespace, destination repository, and image tag, and then click OK.
On the management page of the Container Registry Enterprise Edition instance, choose Distribution > Replication Record. On the Replication Record page, you can find that the status of the replication task is Completed. If the image exists in the destination instance, manual replication is successful.