All Products
Search
Document Center

Container Registry:RAM authentication rules

Last Updated:Feb 28, 2024

After you understand Alibaba Cloud resource names (ARNs), the characteristics and access methods of resources, you can create RAM authentication rules to effectively manage various resources in the system.

ARN format

The following table describes the ARN format in authorization policies when you grant permissions to RAM users.

Resource type

ARN format

*

acs:cr:$regionid:$accountid:*

instance

acs:cr:$regionid:$accountid:instance/$instanceid

repository

acs:cr:$regionid:$accountid:repository/$instanceid/*

acs:cr:$regionid:$accountid:repository/$instanceid

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename

chart

acs:cr:$regionid:$accountid:chart/$instanceid/*

acs:cr:$regionid:$accountid:chart/$instanceid

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname

The following table describes the parameters in the ARN format.

Parameter

Description

regionid

The ID of the region. You can replace the region ID with an asterisk (*).

accountid

The ID of the Alibaba Cloud account. You can replace the account ID with an asterisk (*).

instanceid

The ID of the Container Registry Enterprise Edition instance.

namespacename

The name of the namespace.

repositoryname

The name of the image repository.

chartnamespacename

The name of the chart namespace.

chartrepositoryname

The name of the chart repository.

Authentication rules

When you access the Container Registry API as a RAM user or by using STS, Container Registry checks whether you have obtained the required permissions. The permissions that Container Registry checks vary based on the resources that are requested by the API operation and the syntax of the API operation. The following table describes the authentication rules for different API operations.

Note

The asterisk (*) is used as a wildcard.

API

Action

Resource

GetAuthorizationToken

cr:GetAuthorizationToken

*

GetChartNamespace

cr:GetNamespace

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

GetChartRepository

cr:GetRepository

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

GetInstance

cr:GetInstance

acs:cr:$regionid:$accountid:instance/$instanceid

GetInstanceCount

cr:ListInstance

*

GetInstanceEndpoint

cr:GetInstanceEndpoint

acs:cr:$regionid:$accountid:instance/$instanceid

GetInstanceUsage

cr:GetInstanceUsage

acs:cr:$regionid:$accountid:instance/$instanceid

GetInstanceVpcEndpoint

cr:GetInstanceVpcEndpoint

acs:cr:$regionid:$accountid:instance/$instanceid

GetNamespace

cr:GetNamespace

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename

GetRepoBuildRecord

cr:GetRepositoryBuildRecord

acs:cr:$regionid:$accountid:repository/$instanceid

GetRepoBuildRecordStatus

cr:GetBuildRepositoryStatus

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetRepoSyncTask

cr:GetRepositorySync

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetRepoTagLayers

cr:GetRepositoryLayers

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetRepoTagManifest

cr:GetRepositoryManifest

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetRepoTagScanTask

cr:GetScan

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetRepository

cr:GetRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListChartNamespace

cr:ListNamespace

acs:cr:$regionid:$accountid:chart/$instanceid/*

ListChartRelease

cr:ListChartRelease

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

ListChartRepository

cr:ListRepository

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/*

ListInstance

cr:ListInstance

*

ListInstanceEndpoint

cr:ListInstanceEndpoint

acs:cr:$regionid:$accountid:repository/$instanceid

ListNamespace

cr:ListNamespace

acs:cr:$regionid:$accountid:repository/$instanceid/*

ListRepoBuildRecord

cr:ListRepositoryBuild

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoBuildRecordLog

cr:GetRepositoryBuildLog

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoBuildRule

cr:ListRepositoryBuildRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoSyncRule

cr:ListSyncRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoSyncTask

cr:GetRepositorySync

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoTag

cr:ListRepositoryTag

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoTrigger

cr:ListWebHook

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoTriggerLog

cr:GetWebHookLog

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepoTriggerRecord

cr:GetWebHookLog

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListRepository

cr:ListRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/*

CancelRepoBuildRecord

cr:CancelBuildRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

CreateBuildRecordByRule

cr:BuildRepositoryByRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

CreateChartNamespace

cr:CreateNamespace

acs:cr:$regionid:$accountid:chart/$instanceid

CreateInstanceEndpointAclPolicy

cr:CreateInstanceEndpointAclPolicy

acs:cr:$regionid:$accountid:instance/$instanceid

CreateInstanceVpcEndpointLinkedVpc

cr:CreateInstanceVpcEndpointLinkedVpc

acs:cr:$regionid:$accountid:instance/$instanceid

CreateNamespace

cr:CreateNamespace

acs:cr:$regionid:$accountid:repository/$instanceid

CreateRepoBuildRule

cr:CreateRepositoryBuildRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

CreateRepoSyncRule

cr:CreateSyncRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

CreateRepoSyncTaskByRule

cr:CreateRepositorySync

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

CreateRepoTrigger

cr:CreateWebHook

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

CreateRepository

cr:CreateRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename

DeleteChartNamespace

cr:DeleteNamespace

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

DeleteChartRelease

cr:DeleteChartRelease

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

DeleteChartRepository

cr:DeleteRepository

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

DeleteInstanceEndpointAclPolicy

cr:DeleteInstanceEndpointAclPolicy

acs:cr:$regionid:$accountid:instance/$instanceid

DeleteInstanceVpcEndpointLinkedVpc

cr:DeleteInstanceVpcEndpointLinkedVpc

acs:cr:$regionid:$accountid:instance/$instanceid

DeleteNamespace

cr:DeleteNamespace

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename

DeleteRepoBuildRule

cr:DeleteRepositoryBuildRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

DeleteRepoSyncRule

cr:DeleteSyncRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

DeleteRepoTag

cr:DeleteRepositoryTag

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

DeleteRepoTrigger

cr:DeleteWebHook

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

DeleteRepository

cr:DeleteRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

UpdateChartNamespace

cr:UpdateNamespace

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

UpdateChartRepository

cr:UpdateRepository

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

UpdateInstanceEndpointStatus

cr:UpdateInstanceEndpointStatus

acs:cr:$regionid:$accountid:instance/$instanceid

UpdateNamespace

cr:UpdateNamespace

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename

UpdateRepoBuildRule

cr:UpdateRepositoryBuildRule

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

UpdateRepoTrigger

cr:UpdateWebHook

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

UpdateRepository

cr:UpdateRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

PullRepository

cr:PullRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

PushRepository

cr:PushRepository

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

PullChart

cr:PullChart

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

PushChart

cr:PushChart

acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname

PutScan

cr:PutScan

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetScan

cr:GetScan

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetScanStatus

cr:GetScanStatus

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

ListScanResult

cr:ListScanResult

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetScanCount

cr:GetScanCount

acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname

GetArtifactBuildRule

cr:GetArtifactBuildRule

acs:cr:$regionid:$accountid:instance/$instanceid

GetPersonalInstanceDomainAccessStatus

cr:GetPersonalInstanceDomainAccessStatus

acs:cr:$regionid:$accountid:instance/$instanceid

ListRepositoryVulTagCount

cr:ListRepoVulTagCount

acs:cr:$regionid:$accountid:instance/$instanceid