This document describes how to enable sub-accounts to view and use the TCR Enterprise related resources through the CAM policy, including specific operation steps and common policy configuration examples.
Note:If you need the permissions of other Tencent Cloud services when using some features in TCR console such as VPC, CloudAudit, Tag, please see the corresponding CAM Guide in CAM-Enabled Products.
This document takes the example of "granting the sub-account the read-only permission of an image repository" to introduce how to create a policy.
tcr-xxxxxxxx/team-01/repo-demo/*
. You can get the resource path in Image Repository.tcr-xxxxxxxx
. You can get the instance ID in the Instance List.If you need to customize the policy JSON, please see CAM APIs for TCR Enterprise and Syntax Logic.
QcloudTCRFullAccess: Full read/write permission of TCR.
After the policy is bound to a sub-account, the sub-account has all operation permissions for all TCR resources, including TCR Enterprise and TCR Individual.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:*"
],
"resource": "*",
"effect": "allow"
}]
}
QcloudTCRReadOnlyAccess: Read-only permission of TCR.
After the policy is bound to a sub-account, the sub-account has the read-only permission for all TCR resources, including the TCR Enterprise and TCR Individual.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:Describe*",
"tcr:PullRepository*"
],
"resource": "*",
"effect": "allow"
}]
}
Note:The following scenario policies are only used for TCR Enterprise use cases. For the policies used for TCR Individual, please see Example of Authorization Solution of TCR Individual.
Grant a sub-account all read/write operation permissions for all resources in TCR Enterprise.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:*"
],
"resource": [
"qcs::tcr:::instance/*",
"qcs::tcr:::repository/*"
],
"effect": "allow"
}]
}
Grant a sub-account the read-only permission for all resources in TCR Enterprise.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:Describe*",
"tcr:PullRepository*"
],
"resource": [
"qcs::tcr:::instance/*",
"qcs::tcr:::repository/*"
],
"effect": "allow"
}]
}
Grant a sub-account permissions to manage the specified instance, for example, dev-guangzhou, whose instance ID is tcr-xxxxxxxx.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:*"
],
"resource": [
"qcs::tcr:::instance/tcr-xxxxxxxx",
"qcs::tcr:::repository/tcr-xxxxxxxx/*"
],
"effect": "allow"
}]
}
Grant a sub-account permissions to manage the specified namespace in the specified instance, for example, team-01 under the instance tcr-xxxxxxxx.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:*"
],
"resource": [
"qcs::tcr:::repository/tcr-xxxxxxxx/team-01",
"qcs::tcr:::repository/tcr-xxxxxxxx/team-01/*"
],
"effect": "allow"
},
{
"action": [
"tcr:DescribeInstance*"
],
"resource": [
"qcs::tcr:::instance/tcr-xxxxxxxx"
],
"effect": "allow"
}
]
}
Grant a sub-account the read-only permission of an image repository, which means that the sub-account can only pull the images in the image repository instead of deleting a repository, modifying repository attributes, or pushing images, for example, repo-demo in the namespace team-01 under the instance tcr-xxxxxxxx.
{
"version": "2.0",
"statement": [{
"action": [
"tcr:Describe*",
"tcr:PullRepository"
],
"resource": [
"qcs::tcr:::instance/tcr-xxxxxxxx",
"qcs::tcr:::repository/tcr-xxxxxxxx/team-01",
"qcs::tcr:::repository/tcr-xxxxxxxx/team-01/repo-demo",
"qcs::tcr:::repository/tcr-xxxxxxxx/team-01/repo-demo/*"
],
"effect": "allow"
}
]
}
Was this page helpful?