Overview
To push/pull container images, you need to log in to the instance first with the access credential. TCR supports credentials of user accounts and service accounts. This document describes how to manage service accounts, which is applicable to CI/CD automation scenarios.
A user account is bound with your Tencent Cloud account. The username must be the same as the Tencent Cloud account ID, and the password is generated randomly. The permission of the user account is controlled by the CAM permission of the associated Tencent Cloud account. When the associated Tencent Cloud account is deleted or disabled, the user account goes invalid. This can cause image push/pull failures in Kubernetes clusters or CI/CD scenarios. For more information, see Managing User Accounts. For CI/CD scenarios or you want to configure permissions on the namespace level, we recommend using the service account. Service Account supports the following features:
Custom username and password
Namespace-specific read/write permission configuration
Custom validity period. You can disable a service account temporarily.
Note:
1. TCR is unable to verify the individual identity of the service account owner. If you need to track and audit the image pull/push events, please use the user account.
2. The permission configuration of a service account prevails the CAM permissions. It means that service account can perform namespace-specific operations that do not allowed by the associated Tencent Cloud account. This brings the risk of broken access control. We recommend only assign the service account to the administrators of the instance.
Prerequisites
To obtain the access credential via API, obtain the API key for calling API 3.0. Note:
Access Credential is now only available to beta users. To try it out, submit a ticket. Directions
Creating a service account
1. Log in to the TCR console and choose Access credential > Service accounts in the left sidebar. 2. On the Service accounts page, select a region and an instance, and click Create.
3. On the Create service account page, set the parameters as instructed below:
Name (Required): Custom name of the account. It supports [a-z], [0-9] and [._-], and must start with a letter or digit. The prefix tcr$
is automatically added to the name to mark it as a service account. For example, if you enter robot-demo
, the actual username is tcr$robot-demo
.
Description: Enter the account description.
Validity: Select Permanent or specify a validity period (in days). The default value is 30 days.
Permission configuration: Configure the namespace-specific permission. Select namespaces based on the principle of least privilege.
Namespace: Select target namespaces
Permission type: Select Read-only or Read/Write. In the Read-only mode, image push is not supported.
4. Note down the username and password immediately after the account is created. This page will be displayed only once and the credential information cannot be retrieved after the page is closed.
Managing service accounts
1. Log in to the TCR console and choose Access credential > Service accounts in the left sidebar. 2. On the Service account page, select the region and instance name.
Check existing service accounts
Check the permissions of service accounts
Modify the service account configuration (except the account name)
Enable/Disable service accounts. Note that after an account is disabled, you cannot use it to push or pull images.
Delete service accounts. Note that after an account is deleted, you cannot use it to push or pull images.
Was this page helpful?