The TCR address format is as follows: ccr.ccs.tencentyun.com/${namespace}/${name}:${tag}
.
The following fields are required for configuring the permissions of an image repository:
${namespace}
: The namespace to which the image repository belongs.${name}
: The name of the image repository.Note:Do not add slashes (/) to the namespace
${namespace}
and the image name${name}
.
The${tag}
field currently is only for authenticating the permissions for deleting. For more information, see Image Tag Permissions.
${namespace}
and ${name}
fields allow you to develop detailed permission schemes for collaborators to flexibly manage access permissions.
For example:
If you do not need to manage the permissions of the image repository in detail, you can use Preset Policy Authorization.
If you need to manage the collaborator permissions in detail, please use Custom Policy Authorization.
The TCR utilizes CAM (Cloud Access Management) to manage access permissions. You can learn more about how to use CAM here:
To simplify TCR permissions management, two preset policies are configured in TCR:
docker push
If you do not know how to associate a collaborator with a preset policy, please see Policy and Authorization Management.
With a custom policy, you can associate different permissions with different collaborators.
Taking the following factors into account when assigning permissions:
qcs::ccr:::repo/*
. For more information, see CAM Resource Description Method.When you have planned the permission settings, you can assign the permissions. The following example shows how to "permit collaborators to create an image repository":
Create a custom policy as instructed in Policy.
Log in to the Tencent Cloud console using your developer account.
Go to the CAM custom policy management page and click Create a custom policy to open the "Select a policy creation method" dialog box, as shown in the following figure:
Select Create by policy syntax > Blank template.
Click Next to go to the Edit policy page.
Set the policy name and enter the following code to the “Edit policy content” edit box.
{
"version": "2.0",
"statement": [{
"action": "ccr:CreateRepository",
"resource": "qcs::ccr:::repo/*",
"effect": "allow"
}]
}
For example, you can set the policy name ccr-policy-demo
, as shown in the figure below:
Note:At the end of "resource", use * to indicate that an image repository can be created under any namespace.
qcs::ccr:::repo/*
Format description:qcs::ccr:::
is a fixed format, indicating the developer's TCR service.repo
is a fixed prefix, representing the resource type, which is an image repository here.*
after the slash (/
) means matching all image repositories.For a detailed description of resource, see CAM Resource Description Method.
You can grant permissions for multiple resources at a time. For example, to "permit the deletion of the image repositories in namespaces foo
and bar
", you can create the following custom policy:
{
"version": "2.0",
"statement": [{
"action": [
"ccr:BatchDeleteRepository",
"ccr:DeleteRepository"
],
"resource": [
"qcs::ccr:::repo/foo/*",
"qcs::ccr:::repo/bar/*"
],
"effect": "allow"
}]
}
Note:
foo/*
inqcs::ccr:::repo/foo/*
means all images in the image repository namespacefoo
.bar/*
inqcs::ccr:::repo/bar/*
means all images in the image repository namespacebar
.
You can configure multiple actions
for a resource for a centralized management of resource permissions. For example, to "permit the creation, deletion and push of image repositories in the namespace foo
", you can create the following custom policy:
{
"version": "2.0",
"statement": [{
"action": [
"ccr:CreateRepository",
"ccr:BatchDeleteRepository",
"ccr:DeleteRepository",
"ccr:push"
],
"resource": "qcs::ccr:::repo/foo/*",
"effect": "allow"
}]
}
resource: qcs::ccr:::repo/${namespace}/${name}
action:
ccr:pull
: Use the docker command line to pull an imageccr:push
: Use the docker command line to push an imageresource: qcs::ccr:::repo/${namespace}
action:
ccr:CreateCCRNamespace
Create an image repository namespaceccr:DeleteUserNamespace
Delete an image repository namespaceFeature guide: TKE > Image Repositories in the left sidebar > My images > Namespace.
resurce: qcs::ccr:::repo/${namespace}/${name}
action:
ccr:CreateRepository
Create an image repositoryccr:DeleteRepository
Delete an image repositoryccr:BatchDeleteRepository
Batch delete image repositoriesccr:GetUserRepositoryList
View the list of image repositoriesFeature guide: TKE > Image Repositories in the left sidebar > My images > My images.
Note:To prevent a collaborator from deleting certain images, configure multiple actions.
For example, to prohibit deleting any image repository:
{
"version": "2.0",
"statement": [{
"action": [
"ccr:BatchDeleteRepository",
"ccr:DeleteRepository"
],
"resource": "qcs::ccr:::repo/*",
"effect": "deny"
}]
}
resource: qcs::ccr:::repo/${namespace}/${name}:${tag}
action: ccr:DeleteTag
Delete image tag permissions
Feature guide: TKE > Image Repositories in the left sidebar > My images > My images > click an image name > Image tag page.
Was this page helpful?