You can use Resource Access Management (RAM) and Security Token Service (STS) to control access to your image resources. This allows you to assign specific permissions to different RAM users and grant temporary access when needed.
Prerequisites
You have created a RAM user with your Alibaba Cloud account. For more information, see Create a RAM user.
Background information
Alibaba Cloud provides a flexible and secure permission model through Resource Access Management (RAM) and Security Token Service (STS). By default, your Alibaba Cloud account has full permissions on all of its resources. With RAM and STS, you can grant different permissions for image resources to different RAM users and provide temporary access credentials. Before you configure a policy, we recommend that you read the RAM documentation.
After a RAM user is granted a policy, they must log on to the Container Registry console, create a Personal Edition instance, and set a registry password. Only then can the user view the image resources they are permitted to access.
RAM notes
When you use RAM to grant permissions to a RAM user, note the following to avoid granting excessive permissions.
If you grant the AdministratorAccess policy to a RAM user, that user gains full permissions for Container Registry, regardless of any other Container Registry-specific policies you have attached.
Grant a system policy to a RAM user
Container Registry provides two default system policies: AliyunContainerRegistryFullAccess and AliyunContainerRegistryReadOnlyAccess. You can attach these policies directly to RAM users.
AliyunContainerRegistryFullAccessA RAM user with this policy has the same permissions for image resources as the root Alibaba Cloud account and can perform any operation.
{ "Statement": [ { "Action": "cr:*", "Effect": "Allow", "Resource": "*" } ], "Version": "1" }AliyunContainerRegistryReadOnlyAccessWhen this policy is attached, a RAM user has read-only permissions for all image resources. For example, the user can view the list of repositories and pull an image.
{ "Statement": [ { "Action": [ "cr:Get*", "cr:List*", "cr:PullRepository" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
This section describes how to grant the AliyunContainerRegistryReadOnlyAccess policy to a RAM user.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the RAM user and click Actions in the Attach Policy column.
Alternatively, you can select multiple RAM users and click Attach Policy at the bottom of the list to grant permissions to them all at once.
Authorize
Select an authorization scope.
Account: The permissions apply within the current Alibaba Cloud account.
resource: The permissions apply within the specified resource group.
NoteTo grant permissions at the resource group level, the cloud service must support resource groups. For more information, see Services that support resource groups.
Specify the principal.
The principal is the user who will receive the permissions. The RAM user you selected is automatically specified as the principal.
In the Policies search box, search for AliyunContainerRegistryReadOnlyAccess, and then click AliyunContainerRegistryReadOnlyAccess in the results list.
Click OK.
Click Off.
Grant a custom policy to a RAM user
For more fine-grained access control, you can create a custom policy and grant it to a RAM user.
Policy examples for common scenarios
The following examples show custom policies for common scenarios:
Scenario 1: Grant a RAM user read-only permissions on a specific namespace, for example,
juzhong.After the RAM user logs on to the instance, they can pull all images from this namespace and use the API to view information about the namespace and its repositories.
{ "Statement": [ { "Action": [ "cr:Get*", "cr:List*", "cr:PullRepository" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/juzhong/*" ] } ], "Version": "1" }ImportantIf the RAM user also needs to view the namespace in the console, you must grant an additional permission. The following policy allows the user to view all namespaces and repositories, but they can only pull images from the
juzhongnamespace.{ "Statement": [ { "Action": [ "cr:Get*", "cr:List*", "cr:PullRepository" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/juzhong/*" ] }, { "Action": [ "cr:ListNamespace", "cr:ListRepository" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "1" }Scenario 2: Grant a RAM user all permissions on a specific image repository. For example, the repository is named
nginxin thejuzhongnamespace in the China (Hangzhou) region.ImportantTo allow the RAM user to manage the image repository from the console, you must also add the console access permissions described in Scenario 1.
{ "Statement": [ { "Action": [ "cr:*" ], "Effect": "Allow", "Resource": [ "acs:cr:cn-hangzhou:*:repository/juzhong/nginx" ] }, { "Action": [ "cr:Get*", "cr:List*" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/juzhong" ] } ], "Version": "1" }Scenario 3: Grant a RAM user all permissions for a specific namespace.
ImportantThis scenario is for API access only. To allow the user to view all repositories in the console, refer to the configuration in Scenario 1.
{ "Statement": [ { "Action": [ "cr:*" ], "Effect": "Allow", "Resource": [ "acs:cr:cn-hangzhou:*:repository/juzhong", "acs:cr:cn-hangzhou:*:repository/juzhong/*" ] } ], "Version": "1" }
You can use the policy examples from the preceding scenarios to create and grant a custom policy. Follow these steps:
Create a custom policy.
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON Editor tab and enter the policy document in the editor. For more information about the policy syntax, see Policy structure and syntax.
NoteWhen editing the policy, refer to Authentication rules for Container Registry for the correct
ActionandResourceconfigurations.Click Confirm. Then, in the Create Policy dialog box, enter a Policy Name and a Notes.
Grant the custom policy to a RAM user.
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose .
On the User page, find the target RAM user and click Add Permission in the Actions column.
In the Authorize panel, grant permissions to the RAM user.
Select an authorization scope.
Account: The permissions take effect within the current Alibaba Cloud account.
resource: The permissions take effect only within the specified resource group.
NoteTo grant permissions on a resource group, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.
Specify the Principal.
The principal is the RAM user who will receive the permissions. The current RAM user is automatically selected. You can also add other RAM users.
In the All Types section, click Custom Policy. Enter the name of the policy that you created in the search box, and then click the policy name from the results.
Click OK.
Click Off.
Authentication rules
Resource ARN format
When you grant permissions by using RAM, you must specify the resources in the following format:
Resource type | Resource ARN format |
repository | acs:cr:$regionid:$accountid:repository/$namespacename/$repositoryname |
The following table describes the parameters in the resource ARN.
Parameter | Description |
regionid | The region ID. You can use an asterisk (*) as a wildcard. |
accountid | The numeric ID of the Alibaba Cloud account. You can use an asterisk (*) as a wildcard. |
namespacename | The name of the namespace. |
repositoryname | The name of the image repository. |