Container Registry allows you to synchronize images between instances that belong to different accounts. You can set up manual and automatic image synchronization between Container Registry instances that belong to different accounts regardless of the regions where the instances are deployed. This topic describes how to set up manual and automatic image synchronization between Container Registry instances that belong to different accounts.

Prerequisites

Make sure that the source instance is a standard or advanced Container Registry instance of Enterprise Edition. You cannot synchronize images from a basic Container Registry instance of Enterprise Edition. The destination instance can be a basic, standard, or advanced Container Registry instance of Enterprise Edition.
Note To upgrade a Container Registry Enterprise Edition instance, find the instance on the Instances page and click Upgrade in the lower-right corner.

Background information

You can set up synchronization between instances that belong to Alibaba Cloud accounts and Resource Access Management (RAM) users.

Automatic synchronization between instances that belong to different accounts

You can configure a synchronization rule to automate image synchronization between two instances that belong to different accounts. After you upload an image to the source instance, the system automatically synchronizes the image to the destination instance. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.

Preparations

You must obtain the following information before you set up synchronization between instances that belong to different accounts:

  • The IDs of Account A and Account B.
    Note If your account is a RAM user, you must obtain the ID of the Alibaba Cloud account to which the RAM user belongs.
  • The region where the destination instance is deployed and the ID of the destination instance.

    Log on to the Container Registry console, select the region in the top navigation bar of the Instances page, and click the Container Registry Enterprise Edition instance that you want to use as the destination instance. On the Overview page, you can find the region and ID of the instance in the Instance section.

  • Images can be automatically synchronized between instances that belong to different accounts by namespace or repository.
    • To synchronize images by namespace, the source instance and destination instance must have the same namespace and repositories can be automatically created in the namespace of the destination instance. For more information about how to automatically create repositories, see Create a namespace.
    • To synchronize images by repository, the source and destination instance must have the same repository in the same namespace.

Step 1: Grant permissions to Account A

You must log on to the RAM console by using Account B and grant Account A the permissions to synchronize images to instances that belong to Account B.

  1. Create a RAM role named aliyuncontainerregistrycrossaccoutsyncrole.
    Note You must set the name of the RAM role to aliyuncontainerregistrycrossaccoutsyncrole.
    1. Log on to the RAM console by using Account B.
    2. In the left-side navigation pane, choose Identities > Roles. On the right side of the page, click Create Role.
    3. On the Select Role Type wizard page, select Alibaba Cloud Account as the trusted entity and click Next.
    4. On the Configure Role wizard page, set RAM Role Name to aliyuncontainerregistrycrossaccoutsyncrole and click OK.
    5. On the Finish wizard page, click Close.
  2. Create a policy.
    1. In the left-side navigation pane of the RAM console, choose Permissions > Policies. On the right side of the page, click Create Policy.
    2. On the Create Custom Policy page, specify the Policy Name parameter, set Configuration Mode to Script, specify the actual value in the Resource field, and paste the following content into the code editor. Then, click OK.
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "cr:CreateSyncRule",
                      "cr:CreateRepositorySync"
                  ],
                  "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "cr:CreateSyncRule",
                      "cr:CreateRepositorySync"
                  ],
                  "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****"
              }
          ],
          "Version": "1"
      }
      Resource: the resource that you want to authorize Account A to access. Specify the resource in the following format: acs:cr:<region where the destination instance of Account B is deployed>:<ID of Account B>:instance/<ID of the destination instance of Account B>.
      Note If Account B is a RAM user, set the ID of Account B in the Resource field to the ID of the Alibaba Cloud account to which the RAM user belongs.
  3. Attach the policy to the aliyuncontainerregistrycrossaccoutsyncrole role.
    1. On the Policies page, search for the policy that you created and click the name of the policy.
    2. On the page that appears, click the References tab. Then, click Grant Permission.
    3. In the Add Permissions panel, set Authorized Scope to Alibaba Cloud Account, select aliyuncontainerregistrycrossaccoutsyncrole as Principal, and click Custom Policy. Search for the policy that you created and click its name in the search result. Then, click OK.
    4. Click Complete.
  4. Modify the trust policy of aliyuncontainerregistrycrossaccoutsyncrole.
    1. In the left-side navigation pane of the RAM console, choose Identities > Roles.
    2. Search for aliyuncontainerregistrycrossaccoutsyncrole and click the role name in the search result.
    3. Click the Trust Policy Management tab. Then, click Edit Trust Policy.
    4. In the Edit Trust Policy panel, specify the actual value in the Service field, and paste the following content into the code editor. Then, click OK.
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "125287961064****@cr.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
      Service: The object to whom you want to grant permissions. Specify the service in the following format: <ID of Account A>@cr.aliyuncs.com.
      Note If Account A is a RAM user, set ID of Account A in the Service field to the ID of the Alibaba Cloud account to which the RAM user belongs.

Step 2: Create a synchronization rule

  1. Log on to the Container Registry console by using Account A.
  2. In the top navigation bar, select a region.
  3. On the Instances page, click the required Container Registry Enterprise Edition instance.
  4. On the management page of your Container Registry Enterprise Edition instance, choose Distribution > Instance Replication in the left-side navigation pane. Then, click Create Rule on the right side of the page.
  5. In the Create Rule dialog box, set the parameters on the Instance Information wizard page and click Next.
    Parameter Description
    Rule Name Enter a name for the synchronization rule.
    Synchronization Scenario Set Synchronization Scenario to Across Accounts.
    Destination UID Enter the ID of the account to which the destination instance belongs.
    Target Instance Select the region where the destination instance is deployed and enter the ID of the destination instance.
  6. On the Replication Information wizard page, set Replication Level to Namespace or Repository, select the namespace or repository, and enter a regular expression to filter repository versions. Then, click Create Rule.
    On the management page of the Container Registry Enterprise Edition instance, choose Distribution > Replication Record. On the Replication Record page, you can find that the status of the synchronization task is Completed. If the image exists in the destination instance, automatic synchronization between instances that belong to different accounts is successful.

Manual synchronization between instances that belong to different accounts

You can configure a synchronization rule to manually synchronize an image between two instances that belong to different accounts. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.

  1. Obtain the IDs of Account A and Account B, the region where the destination instance is deployed, and the ID of the destination instance. For more information, see the Preparations section in this topic.
  2. Log on to the RAM console by using Account B and grant Account A the permissions to synchronize images to instances that belong to Account B. For more information, see Step 1 in this topic.
  3. Log on to the Container Registry console.
  4. In the top navigation bar, select a region.
  5. On the Instances page, click the required Container Registry Enterprise Edition instance.
  6. On the Repositories page, click the name of the repository that you want to manage.
  7. On the repository details page, click Tags in the left-side navigation pane. Find the image that you want to synchronize and click Sync in the Actions column.
  8. In the Sync dialog box, set Synchronization Scenario to Across Accounts, enter the ID of the account to which the destination instance belongs and the ID of the destination instance, select the namespace, destination repository, and image tag, and then click OK.
    On the management page of the Container Registry Enterprise Edition instance, choose Distribution > Replication Record. On the Replication Record page, you can find that the status of the synchronization task is Completed. If the image exists in the destination instance, manual synchronization between instances that belong to different accounts is successful.