All Products
Search

This Product

    Container Compute Service:Grant a RAM user permissions on the specified Container Registry namespaces

    Document Center

    Container Compute Service:Grant a RAM user permissions on the specified Container Registry namespaces

    Last Updated:Jan 09, 2025

    This topic describes how to grant a Resource Access Management (RAM) user permissions on the specified Container Registry (ACR) namespaces in an Container Compute Service (ACS) cluster.

    Step 1: Modify the permission policy

    When you access the ACS console for the first time, the AliyunCCManagedAcrRole role is created and assigned to ACS. ACS can assume this role to access Container Registry and obtain temporary credentials that are used to launch ACS pods. By default, the following permission policy is attached to the role:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cr:GetAuthorizationToken",
        "cr:ListInstanceEndpoint",
        "cr:PullRepository"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}
    Note

    The asterisks (*) in the policy are wildcard characters. For example, the asterisks in the Resource section of the policy specify Container Registry instances in all namespaces and regions. This means that the policy provides the cr:GetAuthorizationToken, cr:ListInstanceEndpoint, and cr:PullRepository permissions on all these instances. The default policy provides permissions on an excessive range of resources. You need to modify the policy to limit the range of resources in the Resource section at the earliest opportunity. Example:

    • acs:cr:::repository/$instanceid/$namespace/: specifies a Container Registry instance by its ID and a namespace by its name.

    • acs:cr:*::repository/$instanceid/: specifies a Container Registry instance by its ID.

    Step 2: Create custom policies

    1. Use an Alibaba Cloud account to log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

    5. Copy the following policy content to the code editor, and then replace $instanceid and $namespace in the policy content with the actual values.

      Note

      If you want to grant more permissions to the RAM user, configure the Action and Resource parameters by referring to RAM authentication rules. For more information about the policy syntax, see Policy structure and syntax. 

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cr:ListInstance*",
        "cr:GetInstance*",
        "cr:ListSignature*"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "cr:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cr:*:*:repository/$instanceid/$namespace/*",
        "acs:cr:*:*:repository/$instanceid/$namespace"
      ]
    },
    {
      "Action": [
        "cr:List*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cr:*:*:repository/$instanceid/*",
        "acs:cr:*:*:repository/$instanceid/*/*"
      ]
    }
  ],
  "Version": "1"
}
      Note

      The asterisks (*) in the policy are wildcard characters. Example:

      • cr:ListInstance* specifies all actions that start with cr:ListInstance.

      • If you set acs:cr:*:*:repository/$instanceid/$namespace/* to acs:cr:*:*:repository/cri-123456/ns/*, the $instanceid and $namespace parameters are replaced with the ID of the Container Registry instance and the name of the namespace that you want to access. This setting provides full permissions on the namespaces of Container Registry instances whose IDs are cri-123456 in all regions.

    6. After you enter the content, click OK. In the dialog box that appears, enter the policy name and click OK to create the policy.

    Step 3: Attach the custom policy to the RAM user

    1. Use an Alibaba Cloud account to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

    4. In the Grant Permission panel, grant permissions to the RAM user.

      1. Specify Resource Scope.

        Note

        • Account: The permissions are granted to the current Alibaba Cloud account.

        • ResourceGroup: The permissions are granted to a specific resource group. If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Specify a principal. The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.

      3. Select a policy.

        Note

        You can attach at most five policies to a RAM user at a time. If you want to attach more policies, repeat the operation.

    5. Click Grant permissions.

      Note

      Use the RAM user to log on to the Container Registry console. You can then perform operations in the namespaces that the RAM user is authorized to access. For example, you can build, push, and pull images.