IAM Access Policies in IBM Cloud Container Registry

5 min read

IBM Cloud Container Registry supports IBM Cloud Identity and Access Management access policies

So, what’s changed? IBM Cloud Container Registry now supports IBM Cloud Identity and Access Management (IAM) access policies. You can configure policies to control the actions that your users and Service IDs can perform in Container Registry.

Does this apply to me?

If you use IBM Cloud Container Registry or IBM Cloud Kubernetes Service and you have other users in your account, this change affects you. You can use IAM to control what services and resources your users have access to. If you use IAM Service IDs, you can also control access for your Service IDs.

When you create an IBM Cloud Kubernetes Service cluster, the service automatically creates a registry token and installs it in your cluster. The token is used to both pull images from your private registry for your own deployments and to pull images that enable certain features in your cluster, such as logging integration. When the Kubernetes service sends a request to Container Registry to create the token, the Kubernetes service uses the credentials of the user who initiated the cluster creation, and Container Registry uses that user’s permissions to authorize the request. Note: If you use other users or service IDs to order clusters in your IBM Cloud account, you need to make sure that those users have the Administrator role on both Kubernetes Service and Container Registry so that the Kubernetes service can create the registry token on their behalf.

What can I do with policies?

You can control who gets access to your images and what access they have. Grant the Reader role to allow a user to pull images, the Writer role to allow a user to push images, or the Manager role to allow a user to set quotas or pricing plans.

You can create multiple policies for each user. Each policy can control access to individual Registry namespaces as well as the whole service.

If you use automation, you can create a Service ID and then create policies to control its access. You can generate an API key for the Service ID to log in to Container Registry.

How do I set them up?

When you add someone to your account, you need to create an IAM policy to allow them to access Container Registry. For more information about creating policies, see “Defining user access role policies.”

If you started using Container Registry after October 4, 2018, you don’t need to do anything to enable IAM policies. Policies are enforced automatically for invited users and Service IDs.

If you’re an existing user, you must enable policy enforcement. First, create policies for your users, and then run ibmcloud cr iam-policies-enable to have Container Registry start enforcing them. For more information, see “Defining user access role policies.”

To allow a user or Service ID to create a Kubernetes cluster, you must grant the Administrator role on Container Registry as well as other roles. To learn about creating clusters in IBM Cloud, see “Tutorial: Creating Kubernetes clusters.”

Where can I find more information?

For a step-by-step tutorial about IAM policies in Container Registry, see “Tutorial: Granting access to resources.”

For information about what each role grants access to, see “Managing user access with Identity and Access Management.”

If you have any questions, you can chat with the team on Slack. Get an invite here.

Be the first to hear about news, product updates, and innovation from IBM Cloud