tencent cloud

Tencent Container Registry

Release Notes and Announcements
Release Notes
Announcements
User Tutorial
Product Introduction
Overview
TCR Service Levels and Capacity Limits
Strengths
Scenarios
Purchase Guide
Billing Overview
Purchase Methods
Notes on Arrears
Getting Started
Quick Start
TCR Individual Getting Started
Operation Guide
Creating an Enterprise Edition Instance
Access Configuration
Manage Image Repository
Image Distribution
Image Security
Image Cleanup
DevOps
OCI Artifacts Management
Operation Guide for TCR Individual
Terminating/Returning Instances
Use Cases
TCR Personal migration
TKE Clusters Use the TCR Addon to Enable Secret-free Pulling of Container Images via Private Network
Synchronizing Images to TCR Enterprise Edition from External Harbor
TKE Serverless Clusters Pull TCR Container Images
Image Data Synchronization and Replication Between Multiple Platforms in Hybrid Cloud
Nearby Access Through Image Synchronization Between Multiple Global Regions
Using Custom Domain Name and CCN to Implement Cross-Region Private Network Access
API Documentation
History
Introduction
API Category
Making API Requests
Instance Management APIs
Namespace APIs
Access Control APIs
Instance Synchronization APIs
Tag Retention APIs
Trigger APIs
Helm Chart APIs
Image Repository APIs
Custom Account APIs
Data Types
Error Codes
FAQs
TCR Individual Edition
TCR Enterprise Edition
Related Agreement
Service Level Agreement
Contact Us
Glossary
DocumentationTencent Container RegistryOperation GuideOperation Guide for TCR IndividualConfiguring Access PermissionExample of Authorization Solution of TCR Individual

Example of Authorization Solution of TCR Individual

PDF
Focus Mode
Font Size
Last updated: 2025-12-22 17:33:21

Policy Configuration in Typical Scenarios

Note:
The following scenario policies are only used for TCR Individual use cases.
Grant a sub-account the full read/write permissions for all resources in TCR Individual.
{
  "version": "2.0",
  "statement": [{
      "action": [
          "tcr:*"
      ],
      "resource": [
          "qcs::tcr:::repo/*"
      ],
      "effect": "allow"
  }]
}
Grant a sub-account the read-only permission for all resources in TCR Individual (former Image Repositories in TKE).
{
  "version": "2.0",
  "statement": [{
      "action": [
          "tcr:Describe*",
          "tcr:PullRepository*"
      ],
      "resource": [
          "qcs::tcr:::repo/*"
      ],
      "effect": "allow"
  }]
}
Grant a sub-account permissions to manage the specific namespace in the specific region. For example, the namespace team-01 in the default region.
{
  "version": "2.0",
  "statement": [{
          "action": [
              "tcr:*"
          ],
          "resource": [
              "qcs::tcr:::repo/team-01",
              "qcs::tcr:::repo/team-01/*"
          ],
          "effect": "allow"
      }
  ]
}
Grant a sub-account the read-only permission for an image repository, which means that the sub-account can only pull the images in the image repository instead of deleting the repository, modifying repository attributes, or pushing images. For example, the image repository repo-demo in the namespace team-01 in the default region.
{
  "version": "2.0",
  "statement": [{
          "action": [
              "tcr:Describe*",
              "tcr:PullRepositoryPersonal"
          ],
          "resource": [
              "qcs::tcr:::repo/team-01",
              "qcs::tcr:::repo/team-01/repo-demo",
              "qcs::tcr:::repo/team-01/repo-demo/*"
          ],
          "effect": "allow"
      }
  ]
}

Previous Topic: CAM APIs for Personal EditionNext Topic: Update Guide of Resource Level APIs and Authorization Solution of Personal Edition

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback