Access management in Container Registry

In this section, you will learn:

• Which resources you can assign a role for.
• Which roles exist in the service.
• Which roles are required for particular actions.

About access managementAbout access management

In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.

To grant permissions for a resource, assign roles for this resource to the subject that will perform the operations. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

Roles for a resource can be assigned by users who have the container-registry.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Which resources you can assign a role forWhich resources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned for organizations, clouds, or folders also apply to nested resources.

You can also assign a role for individual resources of the service. The list of such resources depends on the Yandex Cloud interfaces you use to assign roles:

• In the management console, you can only assign roles for a registry.
• Through the YC CLI or the Yandex Cloud API, you can assign roles for a registry or repository.

Which roles exist in the serviceWhich roles exist in the service

The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all the permissions of viewer. You can find the description of each role under the chart.

Service rolesService roles

container-registry.viewercontainer-registry.viewer

The container-registry.viewer role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.

Users with this role can:

• View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
• View info on repositories and the access permissions granted for them.
• View the list of the Docker image auto-delete policies and info on them.
• View the list of the testing results for Docker image auto-delete policies and info on such results.
• View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
• View the Docker image vulnerability scan history and the info on the result of such scans.
• View info on the Container Registry quotas.
• View info on the relevant cloud and folder.

container-registry.editorcontainer-registry.editor

The container-registry.editor role enables managing registries, Docker images, repositories, and their settings.

Users with this role can:

• View the list of registries and info on them, as well as create, modify, and delete them.
• View info on the access permissions granted for registries, as well as on the access policy settings for IP addresses.
• View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
• View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
• Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
• View info on repositories and the access permissions granted for them, as well as create and delete repositories.
• View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
• Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
• View info on the Container Registry quotas.
• View info on the relevant cloud and folder.

This role also includes the container-registry.viewer permissions.

container-registry.admincontainer-registry.admin

The container-registry.admin role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.

Users with this role can:

• View the list of registries and info on them, as well as create, modify, and delete them.
• View info on granted access permissions to registries and modify such permissions.
• View info on the access policy settings for IP address and modify such settings.
• View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
• View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
• Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
• View info on repositories, as well as create and delete them.
• View info on granted access permissions to repositories and modify such permissions.
• View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
• Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
• View info on the Container Registry quotas.
• View info on the relevant cloud and folder.

This role also includes the container-registry.editor permissions.

container-registry.images.pushercontainer-registry.images.pusher

The container-registry.images.pusher role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.

Users with this role can:

• View the list of registries and info on them.
• View the list of Docker images in the registry and info on them, as well as push, download, update, and delete them.
• Create and delete repositories.

container-registry.images.pullercontainer-registry.images.puller

The container-registry.images.puller role enables downloading Docker images from the registry and viewing the list of registries and Docker images, as well as info on them.

container-registry.images.scannercontainer-registry.images.scanner

The container-registry.images.scanner role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.

Users with this role can:

• View the list of Docker images in the registry and info on them, as well as download Docker images from the registry.
• Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
• View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
• View info on repositories and the access permissions granted for them.
• View the list of the Docker image auto-delete policies and info on them.
• View the list of the testing results for Docker image auto-delete policies and info on such results.
• View info on the Container Registry quotas.
• View info on the relevant cloud and folder.

This role also includes the container-registry.viewer permissions.

For more information about service roles, see Roles in the Yandex Identity and Access Management service documentation.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

Currently, the auditor role is available for all Yandex Cloud services, except for:

• Yandex Data Streams
• Yandex Query

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.

For more information about primitive roles, see the Yandex Cloud role reference.

What roles do I needWhat roles do I need

The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the editor role instead of viewer.

Action	Methods	Required roles
View data
Get a list of registries.	list	container-registry.viewer for a folder.
Get information about registries, Docker images, and repositories.	get, list	container-registry.viewer for the registry containing the resource.
Pulling a Docker image.	pull	container-registry.images.puller for the registry or repository.
Getting information on lifecycle policies and the outcomes of their dry runs.	get, list, getDryRunResult, listDryRunResults	container-registry.viewer for the registry or repository that the lifecycle policy was created for.
Manage resources
Create registries in a folder.	create	container-registry.editor for a folder.
Update and delete registries	update, delete	container-registry.editor for the specified registry.
Create Docker images using basic Docker images from the registry	—	container-registry.images.puller for the registry or repository.
Create Docker images without using basic Docker images from the registry.	—	No roles required.
Push Docker images to the registry.	push	container-registry.images.pusher for the registry or repository.
Delete Docker images.	delete	container-registry.images.pusher for a registry or repository containing a Docker image.
Create, edit, delete, and perform a dry run of a lifecycle policy.	create, update, delete, dryRun	container-registry.editor for the registry or repository that the lifecycle policy was created for.
Manage resource access
Granting a role, revoking a role, and viewing the roles assigned to a folder, a cloud, or a registry.	setAccessBindings, updateAccessBindings, listAccessBindings	admin for the resource.
Scanning for vulnerabilities
Scanning a Docker image.	scan	container-registry.images.scanner for a registry or repository containing a Docker image.
Getting the results of a Docker image scan.	get, getLast, list, listVulnerabilities	container-registry.images.scanner for a registry or repository containing a Docker image.

What's next {what-is-next}What's next

• Assigning a role.
• Viewing assigned roles.
• Revoking a role.
• Learn more about access management in Yandex Cloud.
• Learn more about inheriting roles.