If you want to enforce fine-grained control on permissions, you can create custom policies and attach the custom policies to RAM users. This topic describes how to attach a custom policy to a RAM user. In the following example, a RAM user is granted the read and write permissions on a namespace of a Container Registry Enterprise Edition instance.
Create a custom policy
Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Copy the following policy content to the code editor, replace
instanceidandnamespacein the policy content by using your actual values, and then click Next to edit policy information.If you want to grant more permissions to the RAM user, configure the
ActionandResourceparameters by referring to Authentication rules of Container Registry. For information about the policy syntax, see Policy structure and syntax.NoteThe asterisk (
*) in the policy content is used as a wildcard. For example,cr:ListInstance*indicates that all actions that start with cr:ListInstance are granted to the RAM user. If you setacs:cr:*:*:repository/$instanceid/$namespace/*toacs:cr:*:*:repository/cri-123456/ns/*, all permissions on the ns namespace of the instances whose IDs are cri-123456 in all regions are granted to the RAM user.{ "Statement": [ { "Effect": "Allow", "Action": [ "cr:ListInstance*", "cr:GetInstance*", "cr:ListSignature*" ], "Resource": "*" }, { "Action": [ "cr:*" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/$instanceid/$namespace/*", "acs:cr:*:*:repository/$instanceid/$namespace" ] }, { "Action": [ "cr:List*" ], "Effect": "Allow", "Resource": [ "acs:cr:*:*:repository/$instanceid/*", "acs:cr:*:*:repository/$instanceid/*/*" ] } ], "Version": "1" }Specify the Name and Description fields.
Click OK.
Attach the custom policy to a RAM user
Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
Select the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.
Specify the principal.
The principal is the RAM user to which you want to grant permissions.
Select policies.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies:
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
NoteYou can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
Click OK.
Click Complete.
After you log on to the Container Registry console as a RAM user, you can perform operations in the namespaces that the RAM user is authorized to access. For example, you can build, push, and pull images.