在使用RAM用户调用容器镜像服务企业版API前,需要阿里云账号通过创建授权策略对RAM用户进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name, ARN)指定授权资源。

镜像服务鉴权规则

  • 资源描述
    在通过RAM进行授权时,资源的描述方式如下表所示:
    资源类型 授权策略中的资源描述
    * acs:cr:$regionid:$accountid:*
    instance acs:cr:$regionid:$accountid:instance/$instanceid
    repository

    acs:cr:$regionid:$accountid:repository/$instanceid/*

    acs:cr:$regionid:$accountid:repository/$instanceid

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    chart

    acs:cr:$regionid:$accountid:chart/$instanceid/*

    acs:cr:$regionid:$accountid:chart/$instanceid

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname
    参数说明如下表所示:
    参数名称 说明
    regionid 地域ID,可用*代替。
    accountid 云账号数字ID,可用*代替。
    instanceid 容器镜像服务企业版实例ID。
    namespacename 命名空间名称。
    repositoryname 镜像仓库名称。
    chartnamespacename Chart镜像命名空间名称。
    chartrepositoryname Chart镜像仓库名称。
  • 鉴权规则
    RAM用户或者STS方式访问镜像服务API时,镜像服务会向RAM进行权限检查,以确保调用者拥有相应权限。每个API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。每个API的鉴权规则如下表所示:
    说明 *表示通配符。
    API 鉴权Action 鉴权Resource
    GetAuthorizationToken cr:GetAuthorizationToken *
    GetChartNamespace cr:GetNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    GetChartRepository cr:GetRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    GetInstance cr:GetInstance acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceCount cr:ListInstance *
    GetInstanceEndpoint cr:GetInstanceEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceUsage cr:GetInstanceUsage acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceVpcEndpoint cr:GetInstanceVpcEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetNamespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    GetRepoBuildRecord cr:GetRepositoryBuildRecord acs:cr:$regionid:$accountid:repository/$instanceid
    GetRepoBuildRecordStatus cr:GetBuildRepositoryStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagLayers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagManifest cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagScanTask cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepository cr:GetRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListChartNamespace cr:ListNamespace acs:cr:$regionid:$accountid:chart/$instanceid/*
    ListChartRelease cr:ListChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    ListChartRepository cr:ListRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
    ListInstance cr:ListInstance *
    ListInstanceEndpoint cr:ListInstanceEndpoint acs:cr:$regionid:$accountid:repository/$instanceid
    ListNamespace cr:ListNamespace acs:cr:$regionid:$accountid:repository/$instanceid/*
    ListRepoBuildRecord cr:ListRepositoryBuild acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRecordLog cr:GetRepositoryBuildLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRule cr:ListRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncRule cr:ListSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTag cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTrigger cr:ListWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerLog cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerRecord cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepository cr:ListRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
    CancelRepoBuildRecord cr:CancelBuildRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateBuildRecordByRule cr:BuildRepositoryByRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateChartNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:chart/$instanceid
    CreateInstanceEndpointAclPolicy cr:CreateInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    CreateInstanceVpcEndpointLinkedVpc cr:CreateInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    CreateNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:repository/$instanceid
    CreateRepoBuildRule cr:CreateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncRule cr:CreateSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncTaskByRule cr:CreateRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoTrigger cr:CreateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteChartNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    DeleteChartRelease cr:DeleteChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteChartRepository cr:DeleteRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteInstanceEndpointAclPolicy cr:DeleteInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteInstanceVpcEndpointLinkedVpc cr:DeleteInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteRepoBuildRule cr:DeleteRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoSyncRule cr:DeleteSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTrigger cr:DeleteWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateChartNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateChartRepository cr:UpdateRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    UpdateInstanceEndpointStatus cr:UpdateInstanceEndpointStatus acs:cr:$regionid:$accountid:instance/$instanceid
    UpdateNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateRepoBuildRule cr:UpdateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepoTrigger cr:UpdateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PullRepository cr:PullRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PushRepository cr:PushRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    PullChart cr:PullChart acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    PushChart cr:PushChart acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    PutScan cr:PutScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetScan cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetScanStatus cr:GetScanStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListScanResult cr:ListScanResult acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetScanCount cr:GetScanCount acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname