DocsICP FilingConsole
官方文档
首页

Grant a system policy to a RAM user

更新时间:
复制 MD 格式
产品详情
我的收藏

Alibaba Cloud provides Resource Access Management and Security Token Service (STS) to help you manage permissions with flexibility and security. This topic describes how to grant a system policy to a RAM user.

Prerequisites

You have created a RAM user with your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Alibaba Cloud provides a flexible and secure permission model through Resource Access Management (RAM) and Security Token Service (STS). By default, your Alibaba Cloud account has full permissions on all of its resources. With RAM and STS, you can grant different permissions for image resources to different RAM users and provide temporary access credentials. Before you configure a policy, we recommend that you read the RAM documentation.

Important

After a RAM user is granted a policy, they must log on to the Container Registry console, create a Personal Edition instance, and set a registry password. Only then can the user view the image resources they are permitted to access.

RAM notes

When you use RAM to grant permissions to a RAM user, note the following to avoid granting excessive permissions.

Important

If you grant the AdministratorAccess policy to a RAM user, that user gains full permissions for Container Registry, regardless of any other Container Registry-specific policies you have attached.

System policies

Container Registry provides two built-in system policies: AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess. You can grant them directly to users.

  • AliyunContainerRegistryFullAccess

    A RAM user with this policy has the same permissions on image resources as an Alibaba Cloud account and can perform any operation.

    {
  "Statement": [
    {
      "Action": "cr:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

  • AliyunContainerRegistryReadOnlyAccess

    A RAM user with this policy has read-only permissions on all image resources. For example, they can view repository lists and pull images.

    {
  "Statement": [
    {
      "Action": [
        "cr:Get*",
        "cr:List*",
        "cr:Pull*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Procedure

This section describes how to grant the AliyunContainerRegistryReadOnlyAccess policy to a RAM user.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the RAM user and click Actions in the Attach Policy column.

    Alternatively, you can select multiple RAM users and click Attach Policy at the bottom of the list to grant permissions to them all at once.

  4. Authorize

    1. Select an authorization scope.

      • Account: The permissions apply within the current Alibaba Cloud account.

      • resource: The permissions apply within the specified resource group.

        Note

        To grant permissions at the resource group level, the cloud service must support resource groups. For more information, see Services that support resource groups.

    2. Specify the principal.

      The principal is the user who will receive the permissions. The RAM user you selected is automatically specified as the principal.

    3. In the Policies search box, search for AliyunContainerRegistryReadOnlyAccess, and then click AliyunContainerRegistryReadOnlyAccess in the results list.

    4. Click OK.

  5. Click Off.

Related documentation

Previous:Configure RAMNext:Attach custom policy to a RAM user