replicate images across accounts - Container Registry - Alibaba Cloud Documentation Center

The cross-account instance sync feature lets you replicate images from an instance in one account to an instance in another. This feature supports both manual and automatic synchronization and is not region-specific.

Applicability

The source instance must be a Premium Edition instance. The destination instance can be an Basic or Premium Edition instance.
On the Container Registry console, click Upgrade in the lower-right corner of the Enterprise instance card.
Image replication from public cloud regions to non-public cloud regions, such as Alibaba Finance Cloud and Alibaba Gov Cloud, is not supported.
In some regions, only custom sync links are supported because of special restrictions, such as no public network access for Object Storage Service (OSS) buckets.

Background information

You can replicate images between instances that belong to different Alibaba Cloud accounts, different Resource Access Management (RAM) users, or an Alibaba Cloud account and a RAM user.

Automatically synchronize instances across accounts

You can configure a sync rule to automatically replicate images between instances that belong to different accounts. After the rule is configured, an image that is uploaded to the source instance is automatically replicated to the destination instance. This topic provides an example in which the source instance belongs to Account A and the destination instance belongs to Account B.

Important

Automatic cross-account replication applies only to images that match the rule and are uploaded after the sync rule is created. Existing images are not replicated.

Two solutions are available to replicate existing images:

If you have a small number of existing images, you can replicate them manually. For more information, see Manually replicate images across accounts and CreateRepoSyncTask.
If you have many existing images, you can use the OSS replication + ACR image import solution:
1. Copy all files from the OSS bucket of the source instance to the OSS bucket of the destination ACR instance. For more information, see Data replication.
2. Create an import rule, set the migration source to the OSS bucket, and then start an image import task to migrate the images.

Preparations

Before you automatically replicate images across accounts, you must obtain the following information:

The UIDs of Account A and Account B.
Note
If you use a RAM user, obtain the UID of the Alibaba Cloud account to which the RAM user belongs.
The region and ID of the destination instance.
Log on to the Container Registry console. At the top of the Instances page, select a region and click the target Enterprise instance. On the Overview page, you can view the Region of the instance and find the Instance ID in the Instance Information section.
Automatic cross-account image replication is supported at the namespace and repository levels:
- To sync at the namespace level, the source and destination instances must have a namespace with the same name. Automatic repository creation must also be enabled for the namespace in the destination instance. For more information about how to enable automatic repository creation, see Create a namespace.
- To sync at the repository level, the source and destination instances must have an image repository and a namespace with the same name.

Step 1: Grant permissions to Account A from Account B

Log on with Account B and grant permissions to Account A. This allows Account A to sync images to the instance that belongs to Account B.

Create a RAM role named aliyuncontainerregistrycrossaccoutsyncrole.
Note
The role name must be aliyuncontainerregistrycrossaccoutsyncrole.
1. Log on to the Resource Access Management (RAM) console with Account B.
2. In the navigation pane on the left, choose Identity Management > Roles. On the page that appears, click Create Role.
3. On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.
4. In the dialog box that appears, enter aliyuncontainerregistrycrossaccoutsyncrole as the role name, and then click OK.
Create an access policy.
1. In the navigation pane on the left of the RAM console, choose Permission Management > Policies, and then click Create Policy.
2. On the Create Policy page, click the JSON tab. Replace the value of the Resource field in the following policy content as required. Then, copy the modified content to the policy editor and click Next: Edit Basic Information. In the Create Policy dialog box, enter a Policy Name and a Note.
  Note
  Resource: Specifies the resource to which you want to grant permissions. Use the following format: acs:cr:<Region of the destination instance in Account B>:<UID of Account B>:instance/<ID of the destination instance in Account B>.
  If Account B is a RAM user, for the Resource field's UID of Account B parameter, enter the UID of the Alibaba Cloud account to which the RAM user belongs.
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:CreateSyncRule",
                "cr:CreateRepositorySync"
            ],
            "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cr:CreateSyncRule",
                "cr:CreateRepositorySync"
            ],
            "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****"
        }
    ],
    "Version": "1"
}
```
Attach the access policy to the aliyuncontainerregistrycrossaccoutsyncrole role.
1. On the Policies page, find the policy that you created and click its name.
2. Click the References tab, and then click Add Authorization.
3. In the Add Permissions panel, set Authorized Scope to Account Level, set Principal to aliyuncontainerregistrycrossaccoutsyncrole, and then click OK.
4. Click Close.
Modify the trust policy of the aliyuncontainerregistrycrossaccoutsyncrole role.
1. In the navigation pane on the left of the RAM console, choose Identity Management > Roles.
2. On the Roles page, find and click aliyuncontainerregistrycrossaccoutsyncrole.
3. Click the Trust Policy tab, and then click Edit Trust Policy.
4. Replace the value of the Service field in the policy content as required, copy the modified content to the editor, and then click Save Trust Policy.
  Note
  Service: Specifies the principal that can assume the role. Use the following format: <UID of Account A>@cr.aliyuncs.com.
  If Account A is a RAM user, for the Service field's UID of Account A parameter, enter the UID of the Alibaba Cloud account to which the RAM user belongs.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "125287961064****@cr.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```

Step 2: Create a sync rule in Account A

Log on to the Container Registry console with Account A.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
On the management page for the Enterprise Edition instance, in the navigation pane on the left, go to Distribution > Instance Sync. On the page that appears, click Create Rule.

In the Create Rule dialog box, in the Instance Information step, set the required parameters and click Next.

Parameter	Description
Rule Name	Enter a name for the sync rule.
Sync Scenario	Set Sync Scenario to Cross-account.
Destination UID	Enter the UID of the account to which the destination instance belongs.
Destination Instance	Select the region of the destination instance and enter the instance ID.

In the Sync Information step, set the Sync Level to either namespace or repository. Then, select the desired namespace or repository, set a filtering rule for the image version, and click Create Sync Rule.
On the management page of the Enterprise instance, choose Distribution > Sync Records. On the Sync Records page, the status of the sync task is Successful. The image is also available in the destination instance. This indicates that the automatic cross-account instance sync is successful.

Manually replicate images across accounts

You can manually push images from a source instance to a destination instance that belongs to another account. This topic provides an example in which the source instance belongs to Account A and the destination instance belongs to Account B.

Obtain the UIDs of Account A and Account B, and the region and ID of the destination instance. For more information, see the Preparations section of this topic.
Log on with Account B and grant permissions to Account A. This allows Account A to sync images to the instance that belongs to Account B. For more information, see Step 1 of this topic.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Enterprise Edition instance, choose Repository > Repositories.
On the Image Repositories page, click the name of the target image repository.
On the repository details page, click Image Versions in the navigation pane on the left. Find the target image and click Sync in the Actions column.
In the Image Sync dialog box, set Sync Scenario to Cross-account. Enter the UID of the destination account, the ID of the destination instance, the destination namespace, the destination repository name, and the image version. Then, click OK.
On the management page of the Enterprise instance, choose Distribution > Sync Records. On the Sync Records page, the status of the sync task is Successful, and the image is available in the destination instance. This indicates that the manual cross-account instance sync was successful.

References

To sync images to other regions within the same account, see Sync images within the same account. This operation does not require account authorization.