- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Purchasing Instances
- Creating an Enterprise Edition Instance
- Access Configuration
- Manage Image Repository
- Image Distribution
- Image Security
- Synchronization and Replication
- Configuring Image Tag Retention
- Image Cleanup
- DevOps
- OCI Artifacts Management
- Operation Guide for TCR Individual
- Terminating/Returning Instances
- Best Practices
- TCR Personal migration
- Using the Delivery Assembly Line to Implement Container DevOps
- TKE Clusters Use the TCR Addon to Enable Secret-free Pulling of Container Images via Private Network
- Synchronizing Images to TCR Enterprise Edition from External Harbor
- TKE Serverless Clusters Pull TCR Container Images
- Image Data Synchronization and Replication Between Multiple Platforms in Hybrid Cloud
- Nearby Access Through Image Synchronization Between Multiple Global Regions
- Using Custom Domain Name and CCN to Implement Cross-Region Private Network Access
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance Management APIs
- DescribeInstances
- DescribeInstanceStatus
- CreateInstanceToken
- CreateInstance
- ModifyInstanceToken
- DescribeInstanceToken
- DeleteInstanceToken
- DeleteInstance
- RenewInstance
- CheckInstanceName
- CheckInstance
- ModifyInstance
- DescribeRegions
- DescribeInstanceCustomizedDomain
- DescribeImageAccelerateService
- DeleteInstanceCustomizedDomain
- DeleteImageAccelerateService
- CreateInstanceCustomizedDomain
- CreateImageAccelerationService
- Namespace APIs
- Image Repository APIs
- Custom Account APIs
- Trigger APIs
- Instance Synchronization APIs
- Access Control APIs
- Helm Chart APIs
- Tag Retention APIs
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Purchasing Instances
- Creating an Enterprise Edition Instance
- Access Configuration
- Manage Image Repository
- Image Distribution
- Image Security
- Synchronization and Replication
- Configuring Image Tag Retention
- Image Cleanup
- DevOps
- OCI Artifacts Management
- Operation Guide for TCR Individual
- Terminating/Returning Instances
- Best Practices
- TCR Personal migration
- Using the Delivery Assembly Line to Implement Container DevOps
- TKE Clusters Use the TCR Addon to Enable Secret-free Pulling of Container Images via Private Network
- Synchronizing Images to TCR Enterprise Edition from External Harbor
- TKE Serverless Clusters Pull TCR Container Images
- Image Data Synchronization and Replication Between Multiple Platforms in Hybrid Cloud
- Nearby Access Through Image Synchronization Between Multiple Global Regions
- Using Custom Domain Name and CCN to Implement Cross-Region Private Network Access
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance Management APIs
- DescribeInstances
- DescribeInstanceStatus
- CreateInstanceToken
- CreateInstance
- ModifyInstanceToken
- DescribeInstanceToken
- DeleteInstanceToken
- DeleteInstance
- RenewInstance
- CheckInstanceName
- CheckInstance
- ModifyInstance
- DescribeRegions
- DescribeInstanceCustomizedDomain
- DescribeImageAccelerateService
- DeleteInstanceCustomizedDomain
- DeleteImageAccelerateService
- CreateInstanceCustomizedDomain
- CreateImageAccelerationService
- Namespace APIs
- Image Repository APIs
- Custom Account APIs
- Trigger APIs
- Instance Synchronization APIs
- Access Control APIs
- Helm Chart APIs
- Tag Retention APIs
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
This document describes how to enable sub-accounts to view and use the TCR Enterprise related resources through the CAM policy, including specific operation steps and common policy configuration examples.
Note:If you need the permissions of other Tencent Cloud services when using some features in TCR console such as VPC, CloudAudit, Tag, please see the corresponding CAM Guide in CAM-Enabled Products.
Directions
This document takes the example of "granting the sub-account the read-only permission of an image repository" to introduce how to create a policy.
- Instance ID: tcr-xxxxxxxx
- Namespace: team-01
- Image repository: repo-demo
- Log in to the CAM console.
- In the left sidebar, click Policies to go to the policy management page.
- Click Create custom policy in the upper-left corner.
- In the pop-up window, click Create by policy generator to go to the Edit policy page.
- Select the service in the Visual Policy Generator, enter the following information, and edit an authorization statement.
- Effect: Select Allow or Deny. Here, we select Allow.
- Service: Select the service you want to authorize. Here, we select Tencent Container Registry (tcr).
- Action: Select the operations you want to authorize. Here, we select Read.
- Resource: Select all resources or specific resources you want to authorize. Here, we select Specific resources, and add the following six-segment resource to restrict the access.
- repository: Select the region where the repository resides, and enter the resource path of the repository, for example,
tcr-xxxxxxxx/team-01/repo-demo/*. You can get the resource path in Image Repository. - repo: It is left empty.
- instance: Select the region where the repository resides, and enter the ID of the instance to which the repository belongs, for example,
tcr-xxxxxxxx. You can get the instance ID in the Instance List.
- repository: Select the region where the repository resides, and enter the resource path of the repository, for example,
- Condition: It is left empty.
- Click Next to go to the Associate users/user groups page.
- On the Associate users/user groups page, add the policy name and description, and you can associate users or user groups for quick authorization at the same time.
- Click Complete to complete the custom policy creation.
Common Policy Configuration
If you need to customize the policy JSON, please see CAM APIs for TCR Enterprise and Syntax Logic.
Preset policy configuration
QcloudTCRFullAccess: Full read/write permission of TCR.
After the policy is bound to a sub-account, the sub-account has all operation permissions for all TCR resources, including TCR Enterprise and TCR Individual.{ "version": "2.0", "statement": [{ "action": [ "tcr:*" ], "resource": "*", "effect": "allow" }] }QcloudTCRReadOnlyAccess: Read-only permission of TCR.
After the policy is bound to a sub-account, the sub-account has the read-only permission for all TCR resources, including the TCR Enterprise and TCR Individual.{ "version": "2.0", "statement": [{ "action": [ "tcr:Describe*", "tcr:PullRepository*" ], "resource": "*", "effect": "allow" }] }
Policy configuration in typical scenarios
Note:The following scenario policies are only used for TCR Enterprise use cases. For the policies used for TCR Individual, please see Example of Authorization Solution of TCR Individual.
Grant a sub-account all read/write operation permissions for all resources in TCR Enterprise.
{ "version": "2.0", "statement": [{ "action": [ "tcr:*" ], "resource": [ "qcs::tcr:::instance/*", "qcs::tcr:::repository/*" ], "effect": "allow" }] }Grant a sub-account the read-only permission for all resources in TCR Enterprise.
{ "version": "2.0", "statement": [{ "action": [ "tcr:Describe*", "tcr:PullRepository*" ], "resource": [ "qcs::tcr:::instance/*", "qcs::tcr:::repository/*" ], "effect": "allow" }] }Grant a sub-account permissions to manage the specified instance, for example, dev-guangzhou, whose instance ID is tcr-xxxxxxxx.
{ "version": "2.0", "statement": [{ "action": [ "tcr:*" ], "resource": [ "qcs::tcr:::instance/tcr-xxxxxxxx", "qcs::tcr:::repository/tcr-xxxxxxxx/*" ], "effect": "allow" }] }Grant a sub-account permissions to manage the specified namespace in the specified instance, for example, team-01 under the instance tcr-xxxxxxxx.
{ "version": "2.0", "statement": [{ "action": [ "tcr:*" ], "resource": [ "qcs::tcr:::repository/tcr-xxxxxxxx/team-01", "qcs::tcr:::repository/tcr-xxxxxxxx/team-01/*" ], "effect": "allow" }, { "action": [ "tcr:DescribeInstance*" ], "resource": [ "qcs::tcr:::instance/tcr-xxxxxxxx" ], "effect": "allow" } ] }Grant a sub-account the read-only permission of an image repository, which means that the sub-account can only pull the images in the image repository instead of deleting a repository, modifying repository attributes, or pushing images, for example, repo-demo in the namespace team-01 under the instance tcr-xxxxxxxx.
{ "version": "2.0", "statement": [{ "action": [ "tcr:Describe*", "tcr:PullRepository" ], "resource": [ "qcs::tcr:::instance/tcr-xxxxxxxx", "qcs::tcr:::repository/tcr-xxxxxxxx/team-01", "qcs::tcr:::repository/tcr-xxxxxxxx/team-01/repo-demo", "qcs::tcr:::repository/tcr-xxxxxxxx/team-01/repo-demo/*" ], "effect": "allow" } ] }
Yes
No
Was this page helpful?