Container Registry allows you to replicate images between instances that belong to different Alibaba Cloud accounts. The cross-account image replication feature applies to all regions. Manual replication and automatic replication are supported.
Prerequisites
The source instance must be of the Advanced Edition. The destination instance can be of the Basic Edition or Advanced Edition.
If your Container Registry Enterprise Edition instance is of the Basic Edition, you can click Instances in the left-side navigation pane of the Container Registry console and then find the Enterprise Edition instance. Click Upgrade in the card of the instance to upgrade the instance to the Advanced Edition.
You cannot replicate images from a public cloud region to a non-public cloud region, such as an Alibaba Finance Cloud region or an Alibaba Gov Cloud region.
Background information
You can replicate images between instances from one Alibaba Cloud account to another, from one Resource Access Management (RAM) user to another, and from one Alibaba Cloud account to a RAM user.
Automatically replicate images
You can configure a replication rule to automate image replication between two instances that belong to different accounts. After you upload an image to the source instance, the system automatically replicates the image to the destination instance. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.
Only images that are uploaded after the replication rule is configured can be automatically replicated between instances that belong to different accounts. Existing images cannot be replicated.
Two solutions can be used to replicate existing images:
If you do not have a large number of existing images, you can manually replicate the images. For more information, see the Manually replicate image section of this topic and CreateRepoSyncTask.
If you have a large number of existing images, we recommend that you use the combination solution of replicating images to Object Storage Service (OSS) buckets and importing Container Registry images.
Copy all files in an OSS bucket to the OSS bucket of a Container Registry instance. For more information, see Data replication.
Create an import rule, select an OSS bucket as the migration source, and start an image import task.
Preparations
You must obtain the following information before you set up replication between instances that belong to different accounts:
The IDs of Account A and Account B.
NoteIf your account is a RAM user, you must obtain the ID of the Alibaba Cloud account to which the RAM user belongs.
The region in which the destination instance is deployed and the ID of the destination instance.
Log on to the Container Registry console. In the upper part of the Instances page, select a region and click the Enterprise Edition instance that you want to use as the destination instance. On the Overview page, you can find the region of the instance. You can also find the instance ID in the Instance section.
Images can be automatically replicated between instances that belong to different accounts by namespace or repository.
If you want to replicate images by namespace, the source and destination instances must each have a namespace with the same name, and automatic repository creation must be enabled for the corresponding namespace in the destination instance. For information about how to enable automatic repository creation for a namespace, see Step 4: Create a namespace.
If you want to replicate images by repository, the source and destination instances must each have a namespace with the same name, and each have a repository with the same name and configuration in their own namespace.
Step 1: Grant permissions to Account A
You must log on to the RAM console with Account B and grant Account A the permissions to replicate images to instances that belong to Account B.
Create a RAM role named aliyuncontainerregistrycrossaccoutsyncrole.
NoteYou must set the name of the RAM role to aliyuncontainerregistrycrossaccoutsyncrole.
Log on to the RAM console by using Account B.
In the left-side navigation pane, choose . On the page that appears, click Create Role.
In the Select Role Type step, set the Select Trusted Entity parameter to Alibaba Cloud Account and click Next.
In the Configure Role step, set the RAM Role Name parameter to aliyuncontainerregistrycrossaccoutsyncrole and click OK.
Create a permission policy.
In the left-side navigation pane of the RAM console, choose . On the page that appears, click Create Policy.
On the Create Policy page, click JSON. In the following code block, set the
Resource
field based on the actual condition. Then, copy the modified code block to the editor and click Next to edit policy information.{ "Statement": [ { "Effect": "Allow", "Action": [ "cr:CreateSyncRule", "cr:CreateRepositorySync" ], "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****" }, { "Effect": "Allow", "Action": [ "cr:CreateSyncRule", "cr:CreateRepositorySync" ], "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****" } ], "Version": "1" }
Resource: the resource that you want to authorize Account A to access. Specify the resource in the following format:
acs:cr:<Region where the destination instance of Account B is deployed>:<ID of Account B>:instance/<ID of the destination instance of Account B>
.NoteIf Account B is a RAM user, set
<ID of Account B>
in theResource
field to the ID of the Alibaba Cloud account to which the RAM user belongs.
Attach the policy to the aliyuncontainerregistrycrossaccoutsyncrole role.
On the Policies page, search for the policy that you created and click the name of the policy.
On the page that appears, click the References tab. Then, click Grant Permission.
In the Grant Permission panel, set the Resource Scope parameter to Account and the Principal parameter to aliyuncontainerregistrycrossaccoutsyncrole. Then, click Grant permissions.
Click Close.
Modify the trust policy of aliyuncontainerregistrycrossaccoutsyncrole.
In the left-side navigation pane of the RAM console, choose .
Search for aliyuncontainerregistrycrossaccoutsyncrole and click the role name in the search result.
Click Trust Policy, and then click Edit Trust Policy.
Set the
Service
field in the following code block based on the actual condition, copy the modified code block to the editor, and then click Save trust policy document.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "125287961064****@cr.aliyuncs.com" ] } } ], "Version": "1" }
Service: The object to whom you want to grant permissions. Specify the service in the following format:
<ID of Account A>@cr.aliyuncs.com
.NoteIf Account A is a RAM user, set
<ID of Account A>
in theService
field to the ID of the Alibaba Cloud account to which the RAM user belongs.
Step 2: Create a replication rule
Log on to the Container Registry console by using Account A.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Enterprise Edition instance, choose . On the page that appears, click Create Rule.
In the Instance Information step of the Create Rule wizard, configure parameters and then click Next. The following table describes the parameters.
Parameter
Description
Rule Name
Enter a name for the replication rule.
Replication Scenario
Set Replication Scenario to Across Accounts.
Destination UID
Enter the ID of the account to which the destination instance belongs.
Destination Instance
Select the region in which the destination instance is deployed and enter the ID of the destination instance.
In the Replication Information step, set Replication Level to Namespace or Repository based on your requirements, select the namespace or repository, and enter a regular expression to filter image tags. Then, click Create Rule.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose
. On the Replication Record page, the status of the replication task is displayed as Completed. If the image appears in the destination instance, the automatic replication between instances that belong to different accounts is successful.
Manually replicate images
You can configure a replication rule to manually replicate an image between two instances that belong to different accounts. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.
Obtain the IDs of Account A and Account B, the region in which the destination instance is deployed, and the ID of the destination instance. For more information, see the Preparations section in this topic.
You must log on to the RAM console with Account B and grant Account A the permissions to replicate images to instances that belong to Account B. For more information, see Step 1 in this topic.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Enterprise Edition instance, choose .
On the page that appears, click the name of the repository in which the image to be replicated resides.
In the left-side navigation pane of the details page of the image repository, click Tags. On the page that appears, find the image that you want to replicate and click Replicate in the Actions column that corresponds to the image.
In the Image Replication dialog box, set Replication Scenario to Cross Accounts and enter the ID of the destination instance account. Select the destination repository, enter the ID of the destination instance, the destination namespace, destination repository name, and image tag, and then click OK.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose
. On the Replication Record page, the status of the replication task is displayed as Completed. If the image appears in the destination instance, the manual replication is successful.
References
To replicate images between instances that belong to the same account across regions, see Replicate images within same account.