Setelah memahami nama sumber daya Alibaba Cloud (ARN), karakteristik, dan metode akses sumber daya, Anda dapat membuat aturan otentikasi RAM untuk mengelola berbagai sumber daya dalam sistem secara efektif.
Format ARN
Tabel berikut menjelaskan format ARN dalam kebijakan otorisasi saat memberikan izin kepada pengguna RAM.
Jenis sumber daya | Format ARN |
* | acs:cr:$regionid:$accountid:* |
instance | acs:cr:$regionid:$accountid:instance/$instanceid |
repository | acs:cr:$regionid:$accountid:repository/$instanceid/* acs:cr:$regionid:$accountid:repository/$instanceid acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
chart | acs:cr:$regionid:$accountid:chart/$instanceid/* acs:cr:$regionid:$accountid:chart/$instanceid acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname |
Tabel berikut menjelaskan parameter dalam format ARN.
Parameter | Deskripsi |
regionid | ID wilayah. Anda dapat mengganti ID wilayah dengan tanda bintang (*). |
accountid | ID akun Alibaba Cloud. Anda dapat mengganti ID akun dengan tanda bintang (*). |
instanceid | ID instance Container Registry Enterprise Edition. |
namespacename | Nama namespace. |
repositoryname | Nama repositori gambar. |
chartnamespacename | Nama namespace chart. |
chartrepositoryname | Nama repositori chart. |
Aturan otentikasi
Saat mengakses API Container Registry sebagai pengguna RAM atau menggunakan STS, Container Registry memeriksa apakah Anda telah memperoleh izin yang diperlukan. Izin yang diperiksa oleh Container Registry bervariasi berdasarkan sumber daya yang diminta oleh operasi API dan sintaks operasi API. Tabel berikut menjelaskan aturan otentikasi untuk operasi API yang berbeda.
Tanda bintang (*) digunakan sebagai wildcard.
API | Aksi | Sumber daya |
GetAuthorizationToken | cr:GetAuthorizationToken | * |
GetChartNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
GetChartRepository | cr:GetRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
GetInstance | cr:GetInstance | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceCount | cr:ListInstance | * |
GetInstanceEndpoint | cr:GetInstanceEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceUsage | cr:GetInstanceUsage | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceVpcEndpoint | cr:GetInstanceVpcEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
GetRepoBuildRecord | cr:GetRepositoryBuildRecord | acs:cr:$regionid:$accountid:repository/$instanceid |
GetRepoBuildRecordStatus | cr:GetBuildRepositoryStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagLayers | cr:GetRepositoryLayers | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagManifest | cr:GetRepositoryManifest | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagScanTask | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepository | cr:GetRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListChartNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/* |
ListChartRelease | cr:ListChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
ListChartRepository | cr:ListRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* |
ListInstance | cr:ListInstance | * |
ListInstanceEndpoint | cr:ListInstanceEndpoint | acs:cr:$regionid:$accountid:repository/$instanceid |
ListNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/* |
ListRepoBuildRecord | cr:ListRepositoryBuild | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRecordLog | cr:GetRepositoryBuildLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRule | cr:ListRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncRule | cr:ListSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTag | cr:ListRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTrigger | cr:ListWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerLog | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerRecord | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepository | cr:ListRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* |
CancelRepoBuildRecord | cr:CancelBuildRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateBuildRecordByRule | cr:BuildRepositoryByRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateChartNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid |
CreateInstanceEndpointAclPolicy | cr:CreateInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateInstanceVpcEndpointLinkedVpc | cr:CreateInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:repository/$instanceid |
CreateRepoBuildRule | cr:CreateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncRule | cr:CreateSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncTaskByRule | cr:CreateRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoTrigger | cr:CreateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepository | cr:CreateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteChartNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
DeleteChartRelease | cr:DeleteChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteChartRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteInstanceEndpointAclPolicy | cr:DeleteInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteInstanceVpcEndpointLinkedVpc | cr:DeleteInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteRepoBuildRule | cr:DeleteRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoSyncRule | cr:DeleteSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTag | cr:DeleteRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTrigger | cr:DeleteWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateChartNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateChartRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
UpdateInstanceEndpointStatus | cr:UpdateInstanceEndpointStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
UpdateNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateRepoBuildRule | cr:UpdateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepoTrigger | cr:UpdateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullRepository | cr:PullRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PushRepository | cr:PushRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullChart | cr:PullChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PushChart | cr:PushChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PutScan | cr:PutScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScan | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanStatus | cr:GetScanStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListScanResult | cr:ListScanResult | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanCount | cr:GetScanCount | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetArtifactBuildRule | cr:GetArtifactBuildRule | acs:cr:$regionid:$accountid:instance/$instanceid |
GetPersonalInstanceDomainAccessStatus | cr:GetPersonalInstanceDomainAccessStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
ListRepositoryVulTagCount | cr:ListRepoVulTagCount | acs:cr:$regionid:$accountid:instance/$instanceid |