To provide more comprehensive authentication features, Tencent Container Registry (TCR) plans to enable some APIs to connect to Cloud Access Management (CAM) on April 25, 2025. If you have sub-accounts that need to access the corresponding APIs, follow the instructions on creating custom policies by policy generator. Otherwise, your sub-accounts will not be able to access the corresponding APIs. Thank you for your trust and support for Tencent Cloud. If you have any questions when using the cloud products, please contact us. Common Authorization Methods
Method 1: Creating Custom Policies
Implementation Method
Create policies based on the principle of least privilege for different sub-accounts and bind the policies to the sub-accounts.
Applicable Scenario
Permission control is relatively stricter. The operation scope of each sub-account needs to be refined as needed.
Operation Steps
1. On the policy page of the CAM console, click Create Custom Policy in the upper left corner. 2. In the pop-up window, select a creation method by clicking Create by policy syntax, and enter the next page to select a policy template.
3. On the policy template selecting page, enter the keywords to search. For example, select all templates as the template type, enter the keyword a, and select the AdministratorAccess template.
4. Click Next to enter the policy editing page.
5. On the policy editing page, click Complete to finish creating a custom policy by policy syntax after you confirm the policy name and policy content. The default policy name and policy content are automatically generated by the console. The default policy name is policygen, and the numerical suffix is generated based on the creation date.
6. On the policy page of the CAM console, find the created policy and click Associate User/Group/Role in the Action column. 7. In the Associate User/User Group/Role pop-up window, select the user/user group/role to be associated and click OK to complete association of the user and the policy.
Note:
If the APIs are DeleteImage, DeleteNamespace, DescribeImages, DescribeTagRetentionExecutionTask, ForwardRequest, use the corresponding "API Names at CAM Side for Authentication Configuration" to add permissions.
For example, if the API is DescribeImages, you need to use the DescribeRepositories API to add permission.
Method 2: Binding to the Preset Policy
Implementation Method
Bind the sub-accounts to the QcloudTCRFullAccess preset policy that contains ALL API operation permissions of TCR.
Applicable Scenario
Business personnel have the basic operation permissions of all function modules.
Operation Steps
1. On the policy page of the CAM console, select the policy type TCR, locate "QcloudTCRFullAccess", and click Associate User/Group/Role in the Operation column. 2. In the Associate Users/User Groups/Roles window, select the user, user group, or role you want to associate and click Confirm to complete the association.
List of APIs Added for Authentication
|
AuthorizeUserImageBuildConfig | Adds coding authentication on the Enterprise Edition. | - |
CreateApplicationTokenPersonal | Creates access credential for third-party application on the Personal Edition. | - |
CreateNamespace | Creates a namespace on the Enterprise Edition. | - |
CreateRepository | Creates an image repository on the Enterprise Edition. | - |
DeleteImage | Deletes a specified image on the Enterprise Edition. | DeleteRepository |
DeleteNamespace | Deletes a namespace on the Enterprise Edition. | DeleteRepository |
DeleteRepositoryTags | Deletes Repository Tags in batches on the Enterprise Edition. | - |
DescribeImageConfigPersonal | Queries image version configuration information on the Personal Edition. | - |
DescribeImageFilterPersonal | Queries the list of tags on the Personal Edition that have the content same with a specified tag. | - |
DescribeImageLifecycleGlobalPersonal | Obtains the auto-cleanup policy of the global image versions on the Personal Edition. | - |
DescribeImagePersonal | Obtains the image repository tag list on the Personal Edition. | - |
DescribeImages | Queries the container image information on the Enterprise Edition. | DescribeRepositories |
DescribeInstanceAllNamespaces | Queries the namespaces of all instances on the Enterprise Edition. | - |
DescribeNamespacePersonal | Queries the namespace information on the Personal Edition. | - |
DescribeNamespaces | Queries the namespace information on the Enterprise Edition. | - |
DescribeRegions | Lists the AZs of instances on the Enterprise Edition. | - |
DescribeRepositories | Queries the image repository information on the Enterprise Edition. | - |
DescribeRepositoryAllPersonal | Queries all accessible image repositories on the Personal Edition. | - |
DescribeRepositoryFilterPersonal | Obtains the image repositories that satisfy the entered search condition on the Personal Edition. | - |
DescribeRepositoryOwnerPersonal | Queries all repositories on the Personal Edition. | - |
DescribeRepositoryPersonal | Queries the repository information on the Personal Edition. | - |
DescribeTagRetentionExecutionTask | Queries the version retention execution tasks on the Enterprise Edition. | DescribeTagRetentionRules |
DescribeUserQuotaPersonal | Queries the user quotas on the Personal Edition. | - |
ForwardRequest | TCR proxy forwarding API. | DescribeInstances |
ListChartRelease | Queries Chart version list on the Enterprise Edition. | - |
ManageInternalEndpoint | Manages instance's VPC connections on the Enterprise Edition. | - |
UploadHelmChart | Uploads Helm Chart on the Enterprise Edition. | - |
ValidateNamespaceExistPersonal | Verifies the existence of namespaces on the Personal Edition. | - |
ValidateUserPersonal | Verifies the existence of users on the Personal Edition. | - |