阿里云权限管理机制包括访问控制(简称 RAM)和安全凭证管理(简称 STS),灵活使用 RAM 和 STS,可以极大地提高管理的灵活性和安全性。本文介绍如何在不同的场景下配置仓库的访问控制。

背景信息

默认情况下,主帐号对自己的资源拥有完整的操作权限。借助 RAM 和 STS,可以使不同的子账号拥有访问镜像资源的不同权限,同时也支持为用户提供临时的访问授权。在了解如何配置授权策略前,请先详细阅读 RAM 产品文档

系统策略配置

  • AliyunContainerRegistryFullAccess

    子用户拥有该授权后,对于镜像资源的权限等同于主账号,可以做任意操作。

    {
  "Statement": [
    {
      "Action": "cr:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}
  • AliyunContainerRegistryReadOnlyAccess

    子用户拥有该授权后,对于所有镜像资源有只读权限,例如:可以查看仓库列表,Pull 镜像等。

    {
  "Statement": [
    {
      "Action": [
        "cr:Get*",
        "cr:List*",
        "cr:PullRepository"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

典型场景策略配置

若用户子账号需要调用容器镜像服务开放的 OpenAPI,需要参照镜像服务鉴权规则授予子账号相应的操作权限;若用户子账号需要使用容器镜像服务控制台,建议为子账号配置额外的权限策略: 

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:ListInstance*",
                "cr:GetInstance*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstance*",
                "cr:ListInstance*"
            ],
            "Resource": "acs:cr:$regionid:$accountid:instance/$instanceid"
        }
    ],
    "Version": "1"
}

RAM 说明

在使用 RAM 对子账号授权时,请特别关注下面的说明,以免您为子账号授予过大的权限。

如果您通过 RAM 为某一个子账号授予阿里云所有资源的管理权限(即 AdministratorAccess),无论您之前是否为该子账号授予过镜像服务的权限,该子账号都将拥有对镜像服务的全部权限。

镜像服务鉴权规则

  • 资源描述

    在通过RAM进行授权时,资源的描述方式如下表所示:

    资源类型 授权策略中的资源描述
    * acs:cr:$regionid:$accountid:*
    instance acs:cr:$regionid:$accountid:instance/$instanceid
    repository

    acs:cr:$regionid:$accountid:repository/$instanceid/*

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

    acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    chart

    acs:cr:$regionid:$accountid:chart/$instanceid/*

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

    acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname

    参数说明,如下表所示:

    参数名称 说明
    $regionid 地域 ID,可用*代替。
    $accountid 云账号数字 ID,可用 * 代替。
    $instanceid 容器镜像服务企业版实例 ID
    $namespacename 命名空间名称。
    $repositoryname 镜像仓库名称。
    $chartnamespacename Chart 镜像命名空间名称。
    $chartrepositoryname Chart 镜像仓库名称。
  • 鉴权规则

    子账号或者 STS 方式访问镜像服务 API 时,镜像服务会向 RAM 进行权限检查,以确保调用者拥有相应权限。每个 API 会根据涉及到的资源以及 API 的语义来确定需要检查哪些资源的权限。每个 API 的鉴权规则如下表所示:

    API 鉴权Action 鉴权Resource
    GetAuthorizationToken cr:GetAuthorizationToken *
    GetChartNamespace cr:GetNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    GetChartRepository cr:GetRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    GetInstance cr:GetInstance acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceCount cr:ListInstance *
    GetInstanceEndpoint cr:GetInstanceEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceUsage cr:GetInstanceUsage acs:cr:$regionid:$accountid:instance/$instanceid
    GetInstanceVpcEndpoint cr:GetInstanceVpcEndpoint acs:cr:$regionid:$accountid:instance/$instanceid
    GetNamespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    GetRepoBuildRecord cr:GetRepositoryBuildRecord acs:cr:$regionid:$accountid:repository/$instanceid
    GetRepoBuildRecordStatus cr:GetBuildRepositoryStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagLayers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagManifest cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepoTagScanTask cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    GetRepository cr:GetRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListChartNamespace cr:ListNamespace acs:cr:$regionid:$accountid:chart/$instanceid/*
    ListChartRelease cr:ListChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    ListChartRepository cr:ListRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
    ListInstance cr:ListInstance *
    ListInstanceEndpoint cr:ListInstanceEndpoint acs:cr:$regionid:$accountid:repository/$instanceid
    ListNamespace cr:ListNamespace acs:cr:$regionid:$accountid:repository/$instanceid/*
    ListRepoBuildRecord cr:ListRepositoryBuild acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRecordLog cr:GetRepositoryBuildLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoBuildRule cr:ListRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncRule cr:ListSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTag cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTrigger cr:ListWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerLog cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepoTriggerRecord cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    ListRepository cr:ListRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
    CancelRepoBuildRecord cr:CancelBuildRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateBuildRecordByRule cr:BuildRepositoryByRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateChartNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    CreateInstanceEndpointAclPolicy cr:CreateInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    CreateInstanceVpcEndpointLinkedVpc cr:CreateInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    CreateNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    CreateRepoBuildRule cr:CreateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncRule cr:CreateSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoSyncTaskByRule cr:CreateRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepoTrigger cr:CreateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    CreateRepository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteChartNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    DeleteChartRelease cr:DeleteChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteChartRepository cr:DeleteRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    DeleteInstanceEndpointAclPolicy cr:DeleteInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteInstanceVpcEndpointLinkedVpc cr:DeleteInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid
    DeleteNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
    DeleteRepoBuildRule cr:DeleteRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoSyncRule cr:DeleteSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepoTrigger cr:DeleteWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    DeleteRepository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateChartNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateChartRepository cr:UpdateRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
    UpdateInstanceEndpointStatus cr:UpdateInstanceEndpointStatus acs:cr:$regionid:$accountid:instance/$instanceid
    UpdateNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
    UpdateRepoBuildRule cr:UpdateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepoTrigger cr:UpdateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
    UpdateRepository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname