配置仓库的RAM访问控制
阿里云权限管理机制包括访问控制(简称RAM)和安全凭证管理(简称STS),灵活使用RAM和STS,可以极大地提高管理的灵活性和安全性。本文介绍如何在不同的场景下配置仓库的访问控制。
前提条件
已使用阿里云账号创建RAM用户。具体操作,请参见创建RAM用户。
背景信息
默认情况下,阿里云账号对自己的资源拥有完整的操作权限。借助RAM和STS,可以使不同的RAM用户拥有访问镜像资源的不同权限,同时也支持提供临时的访问授权。在了解如何配置授权策略前,请先详细阅读RAM产品文档。
授予RAM用户权限策略后,使用RAM用户登录容器镜像控制台,需要创建个人版实例和设置Registry密码,然后才能查看拥有权限的镜像资源。
RAM说明
在使用RAM对RAM用户授权时,请特别关注下面的说明,以免您为RAM用户授予过大的权限。
如果您通过RAM为某一个RAM用户授予阿里云所有资源的管理权限(即AdministratorAccess),无论您之前是否为该RAM用户授予过镜像服务的权限,该RAM用户都将拥有对镜像服务的全部权限。
授予RAM用户系统策略
ACR默认已创建AliyunContainerRegistryFullAccess和AliyunContainerRegistryReadOnlyAccess策略,您直接授权使用即可。以下为系统策略的详细介绍:
AliyunContainerRegistryFullAccess
RAM用户拥有该授权后,对于镜像资源的权限等同于阿里云账号,可以做任意操作。
{ "Statement": [ { "Action": "cr:*", "Effect": "Allow", "Resource": "*" } ], "Version": "1" }AliyunContainerRegistryReadOnlyAccess
RAM用户拥有该授权后,对于所有镜像资源有只读权限,例如:可以查看仓库列表,Pull镜像等。
{ "Statement": [ { "Action": [ "cr:Get*", "cr:List*", "cr:Pull*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
以下以授予RAM用户AliyunContainerRegistryReadOnlyAccess权限为例:
镜像服务鉴权规则
资源描述
在通过RAM进行授权时,资源的描述方式如下表所示:
资源类型
授权策略中的资源描述
*
acs:cr:$regionid:$accountid:*
instance
acs:cr:$regionid:$accountid:instance/$instanceid
repository
acs:cr:$regionid:$accountid:repository/$instanceid/*
acs:cr:$regionid:$accountid:repository/$instanceid
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
chart
acs:cr:$regionid:$accountid:chart/$instanceid/*
acs:cr:$regionid:$accountid:chart/$instanceid
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname
参数说明如下表所示:
参数名称
说明
regionid
地域ID,可用*代替。
accountid
云账号数字ID,可用*代替。
instanceid
容器镜像服务企业版实例ID。
namespacename
命名空间名称。
repositoryname
镜像仓库名称。
chartnamespacename
Chart镜像命名空间名称。
chartrepositoryname
Chart镜像仓库名称。
鉴权规则
RAM用户或者STS方式访问镜像服务API时,镜像服务会向RAM进行权限检查,以确保调用者拥有相应权限。每个API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。每个API的鉴权规则如下表所示:
说明*表示通配符。
API
鉴权Action
鉴权Resource
GetAuthorizationToken
cr:GetAuthorizationToken
*
GetChartNamespace
cr:GetNamespace
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
GetChartRepository
cr:GetRepository
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
GetInstance
cr:GetInstance
acs:cr:$regionid:$accountid:instance/$instanceid
GetInstanceCount
cr:ListInstance
*
GetInstanceEndpoint
cr:GetInstanceEndpoint
acs:cr:$regionid:$accountid:instance/$instanceid
GetInstanceUsage
cr:GetInstanceUsage
acs:cr:$regionid:$accountid:instance/$instanceid
GetInstanceVpcEndpoint
cr:GetInstanceVpcEndpoint
acs:cr:$regionid:$accountid:instance/$instanceid
GetNamespace
cr:GetNamespace
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
GetRepoBuildRecord
cr:GetRepositoryBuildRecord
acs:cr:$regionid:$accountid:repository/$instanceid
GetRepoBuildRecordStatus
cr:GetBuildRepositoryStatus
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoSyncTask
cr:GetRepositorySync
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoTagLayers
cr:GetRepositoryLayers
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoTagManifest
cr:GetRepositoryManifest
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepoTagScanTask
cr:GetScan
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetRepository
cr:GetRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListChartNamespace
cr:ListNamespace
acs:cr:$regionid:$accountid:chart/$instanceid/*
ListChartRelease
cr:ListChartRelease
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
ListChartRepository
cr:ListRepository
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*
ListInstance
cr:ListInstance
*
ListInstanceEndpoint
cr:ListInstanceEndpoint
acs:cr:$regionid:$accountid:repository/$instanceid
ListNamespace
cr:ListNamespace
acs:cr:$regionid:$accountid:repository/$instanceid/*
ListRepoBuildRecord
cr:ListRepositoryBuild
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoBuildRecordLog
cr:GetRepositoryBuildLog
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoBuildRule
cr:ListRepositoryBuildRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoSyncRule
cr:ListSyncRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoSyncTask
cr:GetRepositorySync
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTag
cr:ListRepositoryTag
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTrigger
cr:ListWebHook
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTriggerLog
cr:GetWebHookLog
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepoTriggerRecord
cr:GetWebHookLog
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListRepository
cr:ListRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*
CancelRepoBuildRecord
cr:CancelBuildRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateBuildRecordByRule
cr:BuildRepositoryByRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateChartNamespace
cr:CreateNamespace
acs:cr:$regionid:$accountid:chart/$instanceid
CreateInstanceEndpointAclPolicy
cr:CreateInstanceEndpointAclPolicy
acs:cr:$regionid:$accountid:instance/$instanceid
CreateInstanceVpcEndpointLinkedVpc
cr:CreateInstanceVpcEndpointLinkedVpc
acs:cr:$regionid:$accountid:instance/$instanceid
CreateNamespace
cr:CreateNamespace
acs:cr:$regionid:$accountid:repository/$instanceid
CreateRepoBuildRule
cr:CreateRepositoryBuildRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepoSyncRule
cr:CreateSyncRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepoSyncTaskByRule
cr:CreateRepositorySync
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepoTrigger
cr:CreateWebHook
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
CreateRepository
cr:CreateRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
DeleteChartNamespace
cr:DeleteNamespace
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
DeleteChartRelease
cr:DeleteChartRelease
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
DeleteChartRepository
cr:DeleteRepository
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
DeleteInstanceEndpointAclPolicy
cr:DeleteInstanceEndpointAclPolicy
acs:cr:$regionid:$accountid:instance/$instanceid
DeleteInstanceVpcEndpointLinkedVpc
cr:DeleteInstanceVpcEndpointLinkedVpc
acs:cr:$regionid:$accountid:instance/$instanceid
DeleteNamespace
cr:DeleteNamespace
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename
DeleteRepoBuildRule
cr:DeleteRepositoryBuildRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepoSyncRule
cr:DeleteSyncRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepoTag
cr:DeleteRepositoryTag
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepoTrigger
cr:DeleteWebHook
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
DeleteRepository
cr:DeleteRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
UpdateChartNamespace
cr:UpdateNamespace
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
UpdateChartRepository
cr:UpdateRepository
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
UpdateInstanceEndpointStatus
cr:UpdateInstanceEndpointStatus
acs:cr:$regionid:$accountid:instance/$instanceid
UpdateNamespace
cr:UpdateNamespace
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename
UpdateRepoBuildRule
cr:UpdateRepositoryBuildRule
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
UpdateRepoTrigger
cr:UpdateWebHook
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
UpdateRepository
cr:UpdateRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
PullRepository
cr:PullRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
PushRepository
cr:PushRepository
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
PullChart
cr:PullChart
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
PushChart
cr:PushChart
acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname
PutScan
cr:PutScan
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetScan
cr:GetScan
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetScanStatus
cr:GetScanStatus
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
ListScanResult
cr:ListScanResult
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
GetScanCount
cr:GetScanCount
acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname
