After you understand Alibaba Cloud resource names (ARNs), the characteristics and access methods of resources, you can create RAM authentication rules to effectively manage various resources in the system.
ARN format
The following table describes the ARN format in authorization policies when you grant permissions to RAM users.
Resource type | ARN format |
* | acs:cr:$regionid:$accountid:* |
instance | acs:cr:$regionid:$accountid:instance/$instanceid |
repository | acs:cr:$regionid:$accountid:repository/$instanceid/* acs:cr:$regionid:$accountid:repository/$instanceid acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
chart | acs:cr:$regionid:$accountid:chart/$instanceid/* acs:cr:$regionid:$accountid:chart/$instanceid acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname |
The following table describes the parameters in the ARN format.
Parameter | Description |
regionid | The ID of the region. You can replace the region ID with an asterisk (*). |
accountid | The ID of the Alibaba Cloud account. You can replace the account ID with an asterisk (*). |
instanceid | The ID of the Container Registry Enterprise Edition instance. |
namespacename | The name of the namespace. |
repositoryname | The name of the image repository. |
chartnamespacename | The name of the chart namespace. |
chartrepositoryname | The name of the chart repository. |
Authentication rules
When you access the Container Registry API as a RAM user or by using STS, Container Registry checks whether you have obtained the required permissions. The permissions that Container Registry checks vary based on the resources that are requested by the API operation and the syntax of the API operation. The following table describes the authentication rules for different API operations.
The asterisk (*
) is used as a wildcard.
API | Action | Resource |
GetAuthorizationToken | cr:GetAuthorizationToken | * |
GetChartNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
GetChartRepository | cr:GetRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
GetInstance | cr:GetInstance | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceCount | cr:ListInstance | * |
GetInstanceEndpoint | cr:GetInstanceEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceUsage | cr:GetInstanceUsage | acs:cr:$regionid:$accountid:instance/$instanceid |
GetInstanceVpcEndpoint | cr:GetInstanceVpcEndpoint | acs:cr:$regionid:$accountid:instance/$instanceid |
GetNamespace | cr:GetNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
GetRepoBuildRecord | cr:GetRepositoryBuildRecord | acs:cr:$regionid:$accountid:repository/$instanceid |
GetRepoBuildRecordStatus | cr:GetBuildRepositoryStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagLayers | cr:GetRepositoryLayers | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagManifest | cr:GetRepositoryManifest | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepoTagScanTask | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetRepository | cr:GetRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListChartNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/* |
ListChartRelease | cr:ListChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
ListChartRepository | cr:ListRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* |
ListInstance | cr:ListInstance | * |
ListInstanceEndpoint | cr:ListInstanceEndpoint | acs:cr:$regionid:$accountid:repository/$instanceid |
ListNamespace | cr:ListNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/* |
ListRepoBuildRecord | cr:ListRepositoryBuild | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRecordLog | cr:GetRepositoryBuildLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoBuildRule | cr:ListRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncRule | cr:ListSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoSyncTask | cr:GetRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTag | cr:ListRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTrigger | cr:ListWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerLog | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepoTriggerRecord | cr:GetWebHookLog | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListRepository | cr:ListRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* |
CancelRepoBuildRecord | cr:CancelBuildRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateBuildRecordByRule | cr:BuildRepositoryByRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateChartNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid |
CreateInstanceEndpointAclPolicy | cr:CreateInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateInstanceVpcEndpointLinkedVpc | cr:CreateInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
CreateNamespace | cr:CreateNamespace | acs:cr:$regionid:$accountid:repository/$instanceid |
CreateRepoBuildRule | cr:CreateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncRule | cr:CreateSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoSyncTaskByRule | cr:CreateRepositorySync | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepoTrigger | cr:CreateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
CreateRepository | cr:CreateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteChartNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
DeleteChartRelease | cr:DeleteChartRelease | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteChartRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
DeleteInstanceEndpointAclPolicy | cr:DeleteInstanceEndpointAclPolicy | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteInstanceVpcEndpointLinkedVpc | cr:DeleteInstanceVpcEndpointLinkedVpc | acs:cr:$regionid:$accountid:instance/$instanceid |
DeleteNamespace | cr:DeleteNamespace | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename |
DeleteRepoBuildRule | cr:DeleteRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoSyncRule | cr:DeleteSyncRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTag | cr:DeleteRepositoryTag | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepoTrigger | cr:DeleteWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
DeleteRepository | cr:DeleteRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateChartNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateChartRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
UpdateInstanceEndpointStatus | cr:UpdateInstanceEndpointStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
UpdateNamespace | cr:UpdateNamespace | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename |
UpdateRepoBuildRule | cr:UpdateRepositoryBuildRule | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepoTrigger | cr:UpdateWebHook | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
UpdateRepository | cr:UpdateRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullRepository | cr:PullRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PushRepository | cr:PushRepository | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
PullChart | cr:PullChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PushChart | cr:PushChart | acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname |
PutScan | cr:PutScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScan | cr:GetScan | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanStatus | cr:GetScanStatus | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
ListScanResult | cr:ListScanResult | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetScanCount | cr:GetScanCount | acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname |
GetArtifactBuildRule | cr:GetArtifactBuildRule | acs:cr:$regionid:$accountid:instance/$instanceid |
GetPersonalInstanceDomainAccessStatus | cr:GetPersonalInstanceDomainAccessStatus | acs:cr:$regionid:$accountid:instance/$instanceid |
ListRepositoryVulTagCount | cr:ListRepoVulTagCount | acs:cr:$regionid:$accountid:instance/$instanceid |