Access management in Container Registry
In this section, you will learn:
- Which resources you can assign a role for.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permissions for a resource, assign roles for this resource to the subject that will perform the operations. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.
Roles for a resource can be assigned by users who have the container-registry.admin
role or one of the following roles for that resource:
admin
resource-manager.admin
organization-manager.admin
resource-manager.clouds.owner
organization-manager.organizations.owner
Which resources you can assign a role for
You can assign a role to an organization, cloud, or folder. The roles assigned for organizations, clouds, or folders also apply to nested resources.
You can also assign a role for individual resources of the service. The list of such resources depends on the Yandex Cloud interfaces you use to assign roles:
- In the management console, you can only assign roles for a registry.
- Through the YC CLI or the Yandex Cloud API, you can assign roles for a registry or repository.
Which roles exist in the service
The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor
role includes all the permissions of viewer
. You can find the description of each role under the chart.
Service roles
container-registry.viewer
The container-registry.viewer
role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.
Users with this role can:
- View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
- View info on repositories and the access permissions granted for them.
- View the list of the Docker image auto-delete policies and info on them.
- View the list of the testing results for Docker image auto-delete policies and info on such results.
- View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
- View the Docker image vulnerability scan history and the info on the result of such scans.
- View info on the Container Registry quotas.
- View info on the relevant cloud and folder.
container-registry.editor
The container-registry.editor
role enables managing registries, Docker images, repositories, and their settings.
Users with this role can:
- View the list of registries and info on them, as well as create, modify, and delete them.
- View info on the access permissions granted for registries, as well as on the access policy settings for IP addresses.
- View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
- View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
- Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
- View info on repositories and the access permissions granted for them, as well as create and delete repositories.
- View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
- Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
- View info on the Container Registry quotas.
- View info on the relevant cloud and folder.
This role also includes the container-registry.viewer
permissions.
container-registry.admin
The container-registry.admin
role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.
Users with this role can:
- View the list of registries and info on them, as well as create, modify, and delete them.
- View info on granted access permissions to registries and modify such permissions.
- View info on the access policy settings for IP address and modify such settings.
- View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
- View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
- Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
- View info on repositories, as well as create and delete them.
- View info on granted access permissions to repositories and modify such permissions.
- View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
- Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
- View info on the Container Registry quotas.
- View info on the relevant cloud and folder.
This role also includes the container-registry.editor
permissions.
container-registry.images.pusher
The container-registry.images.pusher
role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.
Users with this role can:
- View the list of registries and info on them.
- View the list of Docker images in the registry and info on them, as well as push, download, update, and delete them.
- Create and delete repositories.
container-registry.images.puller
The container-registry.images.puller
role enables downloading Docker images from the registry and viewing the list of registries and Docker images, as well as info on them.
container-registry.images.scanner
The container-registry.images.scanner
role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.
Users with this role can:
- View the list of Docker images in the registry and info on them, as well as download Docker images from the registry.
- Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
- View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
- View info on repositories and the access permissions granted for them.
- View the list of the Docker image auto-delete policies and info on them.
- View the list of the testing results for Docker image auto-delete policies and info on such results.
- View info on the Container Registry quotas.
- View info on the relevant cloud and folder.
This role also includes the container-registry.viewer
permissions.
For more information about service roles, see Roles in the Yandex Identity and Access Management service documentation.
Primitive roles
Primitive roles allow users to perform actions in all Yandex Cloud services.
auditor
The auditor
role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.
For instance, users with this role can:
- View info on a resource.
- View the resource metadata.
- View the list of operations with a resource.
auditor
is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.
Currently, the auditor
role is available for all Yandex Cloud services, except for:
- Yandex Data Streams
- Yandex Query
viewer
The viewer
role grants the permissions to read the info on any Yandex Cloud resources.
This role also includes the auditor
permissions.
Unlike auditor
, the viewer
role provides access to service data in read mode.
editor
The editor
role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.
For instance, users with this role can create, modify, and delete resources.
This role also includes the viewer
permissions.
admin
The admin
role enables assigning any roles, except for resource-manager.clouds.owner
and organization-manager.organizations.owner
, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).
Prior to assigning the admin
role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.
This role also includes the editor
permissions.
Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.
For more information about primitive roles, see the Yandex Cloud role reference.
What roles do I need
The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the editor
role instead of viewer
.
Action | Methods | Required roles |
---|---|---|
View data | ||
Get a list of registries. | list |
container-registry.viewer for a folder. |
Get information about registries, Docker images, and repositories. | get , list |
container-registry.viewer for the registry containing the resource. |
Pulling a Docker image. | pull |
container-registry.images.puller for the registry or repository. |
Getting information on lifecycle policies and the outcomes of their dry runs. | get , list , getDryRunResult , listDryRunResults |
container-registry.viewer for the registry or repository that the lifecycle policy was created for. |
Manage resources | ||
Create registries in a folder. | create |
container-registry.editor for a folder. |
Update and delete registries | update , delete |
container-registry.editor for the specified registry. |
Create Docker images using basic Docker images from the registry | — | container-registry.images.puller for the registry or repository. |
Create Docker images without using basic Docker images from the registry. | — | No roles required. |
Push Docker images to the registry. | push |
container-registry.images.pusher for the registry or repository. |
Delete Docker images. | delete |
container-registry.images.pusher for a registry or repository containing a Docker image. |
Create, edit, delete, and perform a dry run of a lifecycle policy. | create , update , delete , dryRun |
container-registry.editor for the registry or repository that the lifecycle policy was created for. |
Manage resource access | ||
Granting a role, revoking a role, and viewing the roles assigned to a folder, a cloud, or a registry. | setAccessBindings , updateAccessBindings , listAccessBindings |
admin for the resource. |
Scanning for vulnerabilities | ||
Scanning a Docker image. | scan |
container-registry.images.scanner for a registry or repository containing a Docker image. |
Getting the results of a Docker image scan. | get , getLast , list , listVulnerabilities |
container-registry.images.scanner for a registry or repository containing a Docker image. |