Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Access management in Container Registry

Written by
Updated at May 26, 2025

In this section, you will learn:

Access management

Yandex Identity and Access Management checks all operations in Yandex Cloud. If an entity does not have required permissions, this service returns an error.

To grant permissions for a resource, assign the appropriate resource roles to an entity performing operations, such as a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

Roles for a resource can be assigned by users who have the container-registry.admin role or one of the following roles for that resource:

  • admin
  • resource-manager.admin
  • organization-manager.admin
  • resource-manager.clouds.owner
  • organization-manager.organizations.owner

Which resources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can also assign roles for individual resources within the service:

You can use the management console to assign roles for a registry.

You can use the Yandex Cloud CLI to assign roles for the following resources:

You can use Terraform to assign roles for the following resources:

You can use Yandex Cloud API to assign roles for the following resources:

Which roles exist in the service

The chart below shows service’s roles and their permission inheritance. For example, editor inherits all viewer permissions. You can find role descriptions under the chart.

Service roles

container-registry.viewer

The container-registry.viewer role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.

Users with this role can:

  • View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
  • View info on repositories and the access permissions granted for them.
  • View the list of the Docker image auto-delete policies and info on them.
  • View the list of the testing results for Docker image auto-delete policies and info on such results.
  • View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
  • View the Docker image vulnerability scan history and the info on the result of such scans.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

container-registry.editor

The container-registry.editor role enables managing registries, Docker images, repositories, and their settings.

Users with this role can:

  • View the list of registries and info on them, as well as create, modify, and delete them.
  • View info on the access permissions granted for registries, as well as on the access policy settings for IP addresses.
  • View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
  • View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View info on repositories and the access permissions granted for them, as well as create and delete repositories.
  • View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
  • Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.viewer permissions.

container-registry.admin

The container-registry.admin role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.

Users with this role can:

  • View the list of registries and info on them, as well as create, modify, and delete them.
  • View info on granted access permissions to registries and modify such permissions.
  • View info on the access policy settings for IP address and modify such settings.
  • View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
  • View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View info on repositories, as well as create and delete them.
  • View info on granted access permissions to repositories and modify such permissions.
  • View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
  • Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.editor permissions.

container-registry.images.pusher

The container-registry.images.pusher role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.

Users with this role can:

  • View the list of registries and info on them.
  • View the list of Docker images in the registry and info on them, as well as push, download, update, and delete them.
  • Create and delete repositories.

container-registry.images.puller

The container-registry.images.puller role enables downloading Docker images from the registry and viewing the list of registries and Docker images, as well as info on them.

container-registry.images.scanner

The container-registry.images.scanner role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.

Users with this role can:

  • View the list of Docker images in the registry and info on them, as well as download Docker images from the registry.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
  • View info on repositories and the access permissions granted for them.
  • View the list of the Docker image auto-delete policies and info on them.
  • View the list of the testing results for Docker image auto-delete policies and info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.viewer permissions.

For more information about service roles, see Roles in the Yandex Identity and Access Management documentation.

Primitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

  • View info on a resource.
  • View the resource metadata.
  • View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

admin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Rather than primitive roles, we suggest using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

What roles do I need

The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the editor role instead of viewer.

Action Methods Required roles
Viewing data
Get a list of registries. list container-registry.viewer for the folder
Get information about registries, Docker images, and repositories. get, list container-registry.viewer for the registry containing the resource
Pulling a Docker image. pull container-registry.images.puller
For the registry or repository
Get information on lifecycle policies and the outcomes of their dry runs. get, list, getDryRunResult, listDryRunResults container-registry.viewer for the registry or repository the lifecycle policy was created for
Managing resources
Create registries in a folder. create container-registry.editor for the folder
Update and delete registries update, delete container-registry.editor for the registry
Create Docker images using basic Docker images from the registry container-registry.images.puller
For the registry or repository
Create Docker images without using basic Docker images from the registry. No roles required.
Push Docker images to the registry. push container-registry.images.pusher
For the registry or repository
Delete Docker images. delete container-registry.images.pusher for the registry or repository containing the Docker image
Create, edit, delete, and perform a dry run of a lifecycle policy. create, update, delete, dryRun container-registry.editor for the registry or repository the lifecycle policy was created for
Resource access management
Grant a role, revoke a role, and view the roles assigned to a folder, a cloud, or a registry. setAccessBindings, updateAccessBindings, listAccessBindings admin for the resource
Scan for vulnerabilities
Scan a Docker image. scan container-registry.images.scanner for the registry or repository containing the Docker image
Get the results of a Docker image scan. get, getLast, list, listVulnerabilities container-registry.images.scanner for the registry or repository containing the Docker image

What's next

Previous
Quotas and limits
Next
Pricing policy