If you want to enforce fine-grained control on permissions, you can create custom policies and attach the custom policies to RAM users. This topic describes how to attach a custom policy to a RAM user. In the following example, a RAM user is granted the read and write permissions on a namespace of a Container Registry Enterprise Edition instance.
Create a custom policy
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Copy the following script to the code editor and replace
instanceidandnamespacein the script by using your actual values.If you want to grant more permissions to the RAM user, configure the
ActionandResourceparameters by referring to Authentication rules of Container Registry. For information about the policy syntax, see Policy structure and syntax.NoteThe asterisk (
*) in the policy content is used as a wildcard. For example,cr:ListInstance*indicates that all actions that start with cr:ListInstance are granted to the RAM user. If you setacs:cr:*:*:repository/$instanceid/$namespace/*toacs:cr:*:*:repository/cri-123456/ns/*, all permissions on the ns namespace of the instances whose IDs are cri-123456 in all regions are granted to the RAM user.{ "Statement": [ { "Effect": "Allow", "Action": [ "cr:ListInstance*", "cr:GetInstance*", "cr:ListSignature*" ], "Resource": "*" }, { "Action": [ "cr:*" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/$instanceid/$namespace/*", "acs:cr:*:*:repository/$instanceid/$namespace" ] }, { "Action": [ "cr:List*" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/$instanceid/*", "acs:cr:*:*:repository/$instanceid/*/*" ] } ], "Version": "1" }Click OK. In the Create Policy dialog box, set the Name and Description parameters.
Attach the custom policy to a RAM user
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
After you log on to the Container Registry console as a RAM user, you can perform operations in the namespaces that the RAM user is authorized to access. For example, you can build, push, and pull images.