In multi-tenant scenarios, RAM users can obtain access credentials to access Enterprise Edition instances. If an employee leaves your organization or a password is compromised, you can clear the user's password to secure the instance. This topic explains how to use an Alibaba Cloud account or a RAM user to view and clear a password, and how to prevent the user from creating a new one.
Usage notes
-
After you clear a password, you can no longer use it to push or pull artifacts, such as container images and Helm charts.
-
Before you clear a password, evaluate all potential risks.
-
Alibaba Cloud account permissions: An Alibaba Cloud account can clear its own password and those of all its RAM users across all of its Container Registry Enterprise Edition instances.
-
RAM user permissions: A RAM user can manage the passwords of other RAM users with the required permissions.
-
After clearing a password, the user can still set a new one. To prevent the user from setting a new password, see Prohibit a RAM user from setting a password for the target instance.
Grant instance management permissions to a RAM user
By default, an Alibaba Cloud account has full permissions to manage all its Container Registry Enterprise Edition instances. If you are using an Alibaba Cloud account, you can proceed directly to Clear a password. If you are using a RAM user, you must first ensure that the RAM user has the required permissions to manage the instance.
-
Create a custom policy using the following policy document. For more information, see Create a custom policy.
NoteYou can control a RAM user's permissions by specifying the
Resourcein the policy. The following example shows how to grant permissions to manage the instancecri-123456in the China (Hangzhou) region:-
$regionId: The region ID of the target Enterprise Edition instance. For example,cn-hangzhou. -
$userId: The user ID (UID) of your Alibaba Cloud account. For example,*. -
$instanceId: The ID of the target Enterprise Edition instance. For example,cri-123456.
{ "Statement": [ { "Effect": "Allow", "Action": [ "ram:ListUserBasicInfos", "cr:ListInstance" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cr:GetInstance", "cr:ListInstanceUser", "cr:RevokeInstanceUserLoginPassword" ], "Resource": [ "acs:cr:$regionId:$userId:instance/$instanceId" ] } ], "Version": "1" } -
-
Attach the custom policy to the target RAM user. For more information, see Grant permissions to a RAM user.
Clear a password
This feature is available only to users with permissions to manage the instance.
Log on to the Container Registry console.
In the top navigation bar, select a region.
On the Instances page, click the Enterprise Edition instance that you want to manage.
-
In the left-side navigation pane, choose .
-
On the Access Credentials page, click the Instance Access Credentials tab. A list of users who have set a password appears. The list contains user information and password information.
NoteThis list shows only password records.
-
User information: includes the username, user ID, User Type, and User Status.
-
Password information: includes the Access Credential Status and Access Credential Setting Time.
-
-
Find the target user, and in the Actions column, click Clear Password.
ImportantBefore you clear the password, ensure no applications or services depend on it.
Prohibit a RAM user from setting a password
After you clear a RAM user's password, the user can still set a new one. To prevent the user from setting a new password, you can restrict them with a permission policy.
-
Create a custom policy using the following policy document. For more information, see Create a custom policy.
{ "Statement": [ { "Effect": "Deny", "Action": [ "cr:ResetLoginPassword" ], "Resource": [ "acs:cr:$regionId:$userId:instance/$instanceId" ] } ], "Version": "1" } -
Attach the custom policy to the target RAM user. For more information, see Grant permissions to a RAM user.