Container Registry allows you to replicate images between instances that belong to different Alibaba Cloud accounts. The cross-account image replication feature applies to all regions. Manual replication and automatic replication are supported.
Prerequisites
The source instance must be of the Advanced Edition. The destination instance can be of the Basic Edition or Advanced Edition.
If your Container Registry Enterprise Edition instance is of the Basic Edition, you can click Instances in the left-side navigation pane of the Container Registry console and then find the Enterprise Edition instance. Click Upgrade in the card of the instance to upgrade the instance to the Advanced Edition.
You cannot replicate images from a public cloud region to a non-public cloud region, such as an Alibaba Finance Cloud region or an Alibaba Gov Cloud region.
Background information
You can replicate images between instances from one Alibaba Cloud account to another, from one RAM user to another, and from one Alibaba Cloud account to a RAM user.
Automatically replicate images
You can configure a replication rule to automate image replication between two instances that belong to different accounts. After you upload an image to the source instance, the system automatically replicates the image to the destination instance. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.
Only images that are uploaded after the replication rule is configured can be automatically replicated between instances that belong to different accounts. Existing images cannot be replicated. For information about how to replicate existing images, see Manually replicate images and CreateRepoSyncTask.
Preparations
You must obtain the following information before you set up replication between instances that belong to different accounts:
The IDs of Account A and Account B.
NoteIf your account is a RAM user, you must obtain the ID of the Alibaba Cloud account to which the RAM user belongs.
The region where the destination instance is deployed and the ID of the destination instance.
Log on to the Container Registry console. At the top of the Instances page, select a region and click the Enterprise Edition instance that you want to use as the destination instance. On the Overview page, you can find the region of the instance. You can also find the instance ID in the Instance section.
Images can be automatically replicated between instances that belong to different accounts by namespace or repository.
To replicate images by namespace, the source and destination instances must share a namespace and automatic repository creation is configured for the namespace. For information about how to enable automatic repository creation for a namespace, see Step 4: Create a namespace.
To replicate images by repository, the source and destination instances must have the same repository in the same namespace.
Step 1: Grant permissions to Account A
You must log on to the RAM console with Account B and grant Account A the permissions to replicate images to instances that belong to Account B.
Create a RAM role named aliyuncontainerregistrycrossaccoutsyncrole.
NoteYou must set the name of the RAM role to aliyuncontainerregistrycrossaccoutsyncrole.
Log on to the RAM console by using Account B.
In the left-side navigation pane, choose . On the page that appears, click Create Role.
In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Account as the trusted entity and click Next.
In the Configure Role step, set Role Name to aliyuncontainerregistrycrossaccoutsyncrole and click OK.
In the Finish step, click Close.
Create a permission policy.
In the left-side navigation pane of the RAM console, choose . On the page that appears, click Create Policy.
On the Create Policy page, click JSON. In the following code block, set the
Resourcefield based on the actual condition. Then, copy the modified code block to the editor and click Next to edit policy information.{ "Statement": [ { "Effect": "Allow", "Action": [ "cr:CreateSyncRule", "cr:CreateRepositorySync" ], "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****" }, { "Effect": "Allow", "Action": [ "cr:CreateSyncRule", "cr:CreateRepositorySync" ], "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****" } ], "Version": "1" }Resource: the resource that you want to authorize Account A to access. Specify the resource in the following format:
acs:cr:<region where the destination instance of Account B is deployed>:<ID of Account B>:instance/<ID of the destination instance of Account B>.NoteIf Account B is a RAM user, set
<ID of Account B>in theResourcefield to the ID of the Alibaba Cloud account to which the RAM user belongs.
Attach the policy to the aliyuncontainerregistrycrossaccoutsyncrole role.
On the Policies page, search for the policy that you created and click the name of the policy.
On the page that appears, click the References tab. Then, click Grant Permission.
In the Grant Permission panel, set Authorized Scope to Alibaba Cloud Account and Principal to aliyuncontainerregistrycrossaccoutsyncrole, click Custom Policy, enter the name of the policy that you created in the preceding step, and then click OK.
Click Complete.
Modify the trust policy of aliyuncontainerregistrycrossaccoutsyncrole.
In the left-side navigation pane of the RAM console, choose .
Search for aliyuncontainerregistrycrossaccoutsyncrole and click the role name in the search result.
Click Trust Policy, and then click Edit Trust Policy.
Set the
Servicefield in the following code block based on the actual condition, copy the modified code block to the editor, and then click Save trust policy document.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "125287961064****@cr.aliyuncs.com" ] } } ], "Version": "1" }Service: The object to whom you want to grant permissions. Specify the service in the following format:
<ID of Account A>@cr.aliyuncs.com.NoteIf Account A is a RAM user, set
<ID of Account A>in theServicefield to the ID of the Alibaba Cloud account to which the RAM user belongs.
Step 2: Create a replication rule
Log on to the Container Registry console with Account A.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Enterprise Edition instance, choose . On the page that appears, click Create Rule.
In the Instance Information step of the Create Rule wizard, configure parameters and then click Next. The following table describes the parameters.
Parameter
Description
Rule Name
Enter a name for the replication rule.
Replication Scenario
Set Replication Scenario to Across Accounts.
Destination UID
Enter the ID of the account to which the destination instance belongs.
Destination Instance
Select the region where the destination instance is deployed and enter the ID of the destination instance.
In the Replication Information step, set Replication Level to Namespace or Repository based on your requirements, select the namespace or repository, and enter a regular expression to filter image tags. Then, click Create Rule.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose . On the Replication Record page, the status of the replication task is displayed as Completed. If the image appears in the destination instance, the automatic replication between instances that belong to different accounts is successful.
Manually replicate images
You can configure a replication rule to manually replicate an image between two instances that belong to different accounts. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.
Obtain the IDs of Account A and Account B, the region where the destination instance is deployed, and the ID of the destination instance. For more information, see the Preparations section in this topic.
You must log on to the RAM console with Account B and grant Account A the permissions to replicate images to instances that belong to Account B. For more information, see Step 1 in this topic.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Enterprise Edition instance, choose .
On the page that appears, click the name of the repository in which the image to be replicated resides.
In the left-side navigation pane of the details page of the image repository, click Tags. On the page that appears, find the image that you want to replicate and click Replicate in the Actions column that corresponds to the image.
In the Image Replication dialog box, set Replication Scenario to Cross Accounts and enter the ID of the destination instance account. Select the destination repository, enter the ID of the destination instance, the destination namespace, destination repository name, and image tag, and then click OK.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose . On the Replication Record page, the status of the replication task is displayed as Completed. If the image appears in the destination instance, the manual replication is successful.
References
To replicate images between instances that belong to the same account across regions, see Replicate images between instances that belong to the same account.