All Products
Search
Document Center

Container Registry:Configure access credentials for a Container Registry Enterprise Edition instance

Last Updated:Mar 20, 2024

To ensure that you can securely access and manage container images, Container Registry provides identity authentication for instance logon from clients such as Docker and containerd. After successful authentication, you can push and pull container images or Helm charts on the clients.

Background information

Access credentials are used for RAM policy-based authentication on clients such as Docker and Containerd. For more information, see RAM authentication rules. After successful authentication, you can push and pull container images and Helm charts. We recommend that you configure an access password for an instance that is different from the password used to log on to the Container Registry console. This prevents impacts on your business due to leakage of the password on the client.

Access credentials are independent of Alibaba Cloud accounts and passwords. Access credentials are available in two types:

  • Password: A password is valid permanently. Keep it safe. If you forget your password, you can reset it.

  • Temporary token: A temporary token is valid for 1 hour. If the temporary token is obtained by using Security Token Service (STS), the temporary token is valid so long as the STS token is valid.

Note

Alibaba Cloud accounts and RAM users have independent access credentials. RAM users cannot use the access credentials of their Alibaba Cloud accounts to access Container Registry Enterprise Edition instances. RAM users must configure their own access credentials.

Use a password

Note

If you want to log on to a Container Registry Enterprise Edition instance as a RAM role, you cannot use a password and you must use a temporary token.

Procedure

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Instances > Access Credential.

  6. On the Access Credential page, click Set Password.

  7. In the Set Password dialog box, enter a password for the Password parameter, and enter the password again for the Confirm Password parameter. Then, click Confirm.

What to do next

Log on to the Container Registry Enterprise Edition instance.

  1. Configure access over the Internet or virtual private clouds (VPCs). For more information, see Configure access over the Internet or Configure a VPC ACL.

  2. Use the access credentials to log on to the Container Registry Enterprise Edition instance. Example:

    docker login <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the instance>.cr.aliyuncs.com

Use a temporary token

Prerequisites

Procedure

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Add the following permissions to the RAM user and obtain the AccessKey pair of the RAM user. For more information, see View the information about AccessKey pairs of a RAM user.

    {
      "Action": [
         "cr:GetAuthorizationToken",
         "cr:PullRepository",
         "cr:PushRepository"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  3. Run the following command in the ACR ALI to call the GetAuthorizationToken API operation to obtain the temporary token. For more information, see GetAuthorizationToken.

    export ALIYUN_AK="<aliyun access key>" # The AccessKey ID that you obtained in Step 2.
    export ALIYUN_SK="<aliyun access key secret >" # The AccessKey secret that you obtained in step 2.
    export ACR_INSTANCE_ID="<id of acr instance >"
    export ACR_ENDPOINT="<acr service endpoint>" # You can obtain the endpoint from https://www.alibabacloud.com/help/en/acr/developer-reference/api-cr-2018-12-01-endpoint?spm=a2c63.p38356.0.0.61147050eqkpiJ.
    
    aliyun cr GetAuthorizationToken --endpoint $ACR_ENDPOINT --InstanceId $ACR_INSTANCE_ID --access-key-id $ALIYUN_AK --access-key-secret $ALIYUN_SK | jq -r '.AuthorizationToken'

What to do next

Log on to the Container Registry Enterprise Edition instance.

  1. Configure access over the Internet or VPCs. For more information, see Configure access over the Internet or Configure a VPC ACL.

  2. Use the access credentials to log on to the Container Registry Enterprise Edition instance. Example:

    docker login --username=cr_temp_user <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the instance>.cr.aliyuncs.com

References

After you configure access credentials for a Container Registry Enterprise Edition instance, you can manage and store container images in the instance. For more information, see Push an image to a Container Registry Enterprise Edition instance and pull an image from the instance.