Elastic Container Instance allows you to pull images from Alibaba Cloud Container Registry instances without using secrets to improve efficiency and security of image pulling. This topic describes how to pull images from a Container Registry instance without using a secret.
Background information
Container Registry provides Container Registry Personal Edition instances and Container Registry Enterprise Edition instances. Container Registry Enterprise Edition is an enterprise-grade platform designed to manage the lifecycle of cloud native application artifacts, including container images, Helm charts, and Open Container Initiative (OCI) artifacts. It is suitable for large-scale business deployment scenarios and helps enterprises reduce the delivery complexity. For more information, see What is Container Registry?
When you create an elastic container instance or an image cache, if the image you want to pull is an image in a Container Registry instance, you can configure to pull the image without using a secret to simplify the process, improve efficiency, and prevent the risk of secret leaks.
Note You cannot pull images (for example, Docker images) that are not in Container Registry instances without using secrets.
Prerequisites
Before you configure secret-free image pulling for resources such as elastic container instances, make sure that you have completed the following operations:
A Container Registry instance is created, and related configurations such as image repositories and images are completed for the instance.
If the Container Registry instance is an Enterprise Edition instance, secret-free access to the instance is configured.
By default, a newly created Container Registry Enterprise Edition instance is disconnected from all networks. You must configure access control lists (ACLs) to allow access to the instance over the Internet or virtual private clouds (VPCs).
Over the Internet: After you enable Internet access for an Enterprise Edition instance, you can access images in the Enterprise Edition instance across regions by using public endpoints of the Enterprise Edition instance. For more information, see Enable Internet access.
Over a VPC: To access a Container Enterprise Edition instance over a VPC, you must enable relevant authorization by using the service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone. For more information, see Configure a VPC ACL.
Configuration description
The following table describes the scenarios in which images can be pulled from Container Registry instances without using secrets.
The resource to be created such as an elastic container instance and the Container Registry instance are in the same account | Edition of the Container Registry instance | Secret-free image pulling |
Yes | | By default, secret-free image pulling is enabled. You can configure a RAM role to limit the scope of Container Registry instances that support secret-free image pulling. |
Yes | Enterprise Edition (use a custom domain name) | Secret-free image pulling cannot be enabled by default. You must specify Container Registry instances that support secret-free image pulling. |
No | Personal Edition Enterprise Edition
| Secret-free image pulling cannot be enabled by default. You must configure a RAM role to implement secret-free image pulling. |
Select one of the following configuration methods based on your accounts and Container Registry instance.
Configure a RAM role to limit the scope of Container Registry instances that support secret-free image pulling
If the resource to be created such as an elastic container instance and the Container Registry instance belong to the same Alibaba Cloud account, and the Container Registry instance is an Enterprise Edition instance that uses a default domain name or is a Personal Edition instance, secret-free image pulling is enabled for the Container Registry instance by default. In this case, you can configure a RAM role based on your business requirements to limit the scope of Container Registry instances that support secret-free image pulling. For example, you can specify only one Container Registry instance that supports secret-free image pulling.
Note By default, Elastic Container Instance uses the service-linked role AliyunServiceRoleForECI to obtain access to other Alibaba Cloud services that are required to create Elastic Container Instance resources. AliyunServiceRoleForECI has the permission to pull images from Container Registry instances. The preceding Container Registry instances include all Enterprise Edition instances that use default domain names or all Personal Edition instances in the same Alibaba Cloud account as the Elastic Container Instance resource. Fine-grained permission control cannot be implemented by using the service-linked role.
Procedure:
Step 1: Create RAM roles and grant permissions to the RAM roles
Create a RAM role for a trusted Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Take note of the following parameters:
Select Trusted Entity: Alibaba Cloud Service.
Role Type: Normal Service Role.
RAM Role Name: Example: acr-test.
Select Trusted Service: ECI.
Create a custom permission policy. For more information, see Create a custom policy.
The following example shows the content of a policy, which indicates that only images in the specified Container Registry instance can be pulled. For more information about how to write a policy, see Policy elements.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cr:Get*",
"cr:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cr:Pull*"
],
"Resource": [
"acs:cr:cn-hangzhou:1609982529******:instance/cri-nwj395hgf6f3****"
]
}
]
}
Attach the custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
Find the acr-test role that you created. Click the role name to go to the details page. Verify the permissions and obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.
Step 2: Specify the RAM role that you created in Step 1 to create a resource
When you call the CreateContainerGroup API operation to create an elastic container instance or call the CreateImageCache API operation to create an image cache, you can use the AcrRegistryInfo.N.ArnService parameter to specify the RAM role that is used to create the resource. The following table describes the parameter. For more information, see CreateContainerGroup and CreateImageCache.
Parameter | Type | Example | Description |
AcrRegistryInfo.N.ArnService | string | acs:ram::1609982529******:role/acr-test | The ARN of the RAM role in the Alibaba Cloud account to which the resource to be created such as an elastic container instance belongs. |
For example, if you create an elastic container instance, you can specify the following parameters in OpenAPI:
ContainerGroupName=test-acr
#Container
Container.1.Name=test
Container.1.Image=test****-registry.cn-hangzhou.cr.aliyuncs.com/eci_test/nginx:1.0
#AcrRegistryInfo
AcrRegistryInfo.1.ArnService=acs:ram::1609982529******:role/acr-test
Specify the Container Registry Enterprise Edition instances that support secret-free image pulling
If the resource to be created such as an elastic container instance and the Container Registry instance belong to the same Alibaba Cloud account, and the Container Registry instance is an Enterprise Edition instance that uses a custom domain name, to implement secret-free image pulling, you must specify the Container Registry instance.
OpenAPI
If you call the CreateContainerGroup API operation to create an elastic container instance or call the CreateImageCache API operation to create an image cache, you can configure AcrRegistryInfo-related parameters to specify the Container Registry instance. The following table describes these parameters. For more information, see CreateContainerGroup and CreateImageCache.
Parameter | Type | Example | Description |
AcrRegistryInfo.N.RegionId | string | cn-beijing | The region ID of Container Registry Enterprise Edition instance N. This parameter is required if the resource to be created such as an elastic container instance and the Container Registry instance are located in different regions. |
AcrRegistryInfo.N.InstanceId | string | cri-nwj395hgf6f3**** | The ID of Container Registry Enterprise Edition instance N. This parameter is required if the Enterprise Edition instance uses a custom domain name. |
For example, if you create an elastic container instance, you can specify the following parameters in OpenAPI:
Example 1: Specify only the ID of the Container Registry instance
ContainerGroupName=test
#Container
Container.1.Name=c1
Container.1.Image=test****-registry.example.com/eci_test/nginx:1.0
#AcrRegistryInfo
AcrRegistryInfo.1.InstanceId=cri-nwj395hg********
Example 2: Specify the region ID and the ID of the Container Registry instance
ContainerGroupName=test
#Container
Container.1.Name=c1
Container.1.Image=test****-registry.example.com/eci_test/nginx:1.0
Container.2.Name=c2
Container.2.Image=test****-registry.example.com/eci_test/busybox:1.0
Container.2.Command=sleep
Container.2.Arg=3600
#AcrRegistryInfo
AcrRegistryInfo.1.RegionId=cn-beijing
AcrRegistryInfo.1.InstanceId=cri-nwj395hg********
Console mode
When you create an elastic container instance on the buy page, you can select an image for each container in the Container Configurations section. When you select container images, you can specify an image in a Container Registry Enterprise Edition instance on the Container Registry Enterprise Edition image tab.
Note You cannot specify an image in a Container Registry Enterprise Edition instance when you create an image cache in the Elastic Container Instance console.
Configure RAM roles to implement secret-free image pulling across accounts
If the resource to be created such as an elastic container instance and the Container Registry instance do not belong to the same Alibaba Cloud account, to implement secret-free image pulling, you must configure RAM roles for the two accounts and grant permissions to the RAM roles.
Procedure:
Step 1: Create RAM roles and grant permissions to the RAM roles
Create a RAM role in Account A to which the resource to be created such as an elastic container instance belongs and grant permissions to the RAM role.
Create a RAM role for a trusted Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Take note of the following parameters:
Select Trusted Entity: Alibaba Cloud Service.
Role Type: Normal Service Role.
RAM Role Name: example: role-assume.
Select Trusted Service: ECI.
Grant the role-assume role the permission to call the AssumeRole API operation of Security Token Service (STS). For more information, see the "Method 2: Grant permissions to a RAM role by clicking Input and Attach on the Roles page" section of the Grant permissions to a RAM role topic.
Set the policy type to system policy, and the policy name to AliyunSTSAssumeRoleAccess.
Find the role-assume role that you created. Click the role name to go to the details page. Verify the permissions and the trust policy, and obtain the ARN of role-assume.
Permissions and the ARN
The trust policy
Create a RAM role in Account B to which the Container Registry instance belongs and grant permissions to the RAM role.
Create a RAM role for a trusted Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Take note of the following parameters:
Select Trusted Entity: Alibaba Cloud Account.
RAM Role Name: Example: role-acr.
Select Trusted Alibaba Cloud Account: Other Alibaba Cloud Account. Enter Account A to which the resource to be created such as the elastic container instance belongs.
Grant the role-acr role the permission to pull images from Container Registry instances. For more information, see the "Method 2: Grant permissions to a RAM role by clicking Input and Attach on the Roles page" section of the Grant permissions to a RAM role topic.
Set the policy type to system policy, and the policy name to AliyunContainerRegistryFullAccess.
Edit the trust policy to make role-acr trusted by role-assume. For more information, see Edit the trust policy of a RAM role.
By default, the role-acr role can be assumed by all RAM users and RAM roles in Account A. We recommend that you edit the trust policy to grant permissions only to necessary RAM users and RAM roles in Account A.
In the Principal
element, change the value of the RAM
field to the ARN of role-assume. This indicates that the role-acr role can only be assumed by role-assume. Example:
"Principal": {
"RAM": [
"acs:ram::1609982529******:role/role-assume"
]
}
Verify the permissions and the trust policy and obtain the ARN of role-acr.
Permissions and the ARN
The trust policy
Step 2: Specify the RAM roles that you created in Step 1 to create a resource
If you call the CreateContainerGroup API operation to create an elastic container instance or call the CreateImageCache API operation to create an image cache, you can configure AcrRegistryInfo-related parameters to specify the Container Registry instance in an Alibaba Cloud account different from the account of the resource to be created. Take note of the following items:
If the Container Registry instance belongs to an Alibaba Cloud account different from the account of the resource to be created, you must set ArnService and ArnUser to specify RAM roles for permission configurations.
If the Container Registry instance is an Enterprise Edition instance that uses a custom domain name, you must set InstanceId to specify the Container Registry instance.
For more information, see CreateContainerGroup and CreateImageCache.
Parameter | Type | Example | Description |
AcrRegistryInfo.N.ArnService | string | acs:ram::1609982529******:role/role-assume | The ARN of the RAM role in the Alibaba Cloud account to which the resource to be created such as an elastic container instance belongs. |
AcrRegistryInfo.N.ArnUser | string | acs:ram::1298452580******:role/role-acr | The ARN of the RAM role in the Alibaba Cloud account to which the Container Registry instance belongs. |
AcrRegistryInfo.N.RegionId | string | cn-beijing | The region ID of Container Registry Enterprise Edition instance N. This parameter is required if the resource to be created such as an elastic container instance and the Container Registry instance are located in different regions. |
AcrRegistryInfo.N.InstanceId | string | cri-nwj395hgf6f3**** | The ID of Container Registry Enterprise Edition instance N. This parameter is required if the Enterprise Edition instance uses a custom domain name. |
For example, if you create an elastic container instance, you can specify the following parameters in OpenAPI:
ContainerGroupName=test-acr
#Container
Container.1.Name=test
Container.1.Image=test****-registry.cn-hangzhou.cr.aliyuncs.com/eci_test/nginx:1.0
#AcrRegistryInfo
AcrRegistryInfo.1.ArnService=acs:ram::1609982529******:role/role-assume
AcrRegistryInfo.N.ArnUser=acs:ram::1298452580******:role/role-acr