Cloud Access Management
- Product Introduction
- Getting Started
- User Guide
- Users
- Sub-Users
- Sub-User Security Credentials
- Collaborators
- Collaborator Security Credentials
- Message Recipients
- User Settings
- User Groups
- Role
- Identity Provider
- User-Based SSO
- Role-Based SSO
- Policies
- Definition
- Authorization Guide
- Syntax Logic
- Element Reference
- CAM-Enabled Role
- Container
- Microservice
- Essential Storage Service
- Data Process and Analysis
- Data Migration
- Relational Database
- Enterprise Distributed DBMS
- NoSQL Database
- Database SaaS Tool
- Networking
- CDN and Acceleration
- Network Security
- Data Security
- Application Security
- Domains & Websites
- Big Data
- Middleware
- Interactive Video Services
- Media On-Demand
- Cloud Real-time Rendering
- Game Services
- Cloud Resource Management
- Management and Audit Tools
- Monitor and Operation
- CAM-Enabled API
- Compute
- Edge Computing
- Distributed cloud
- Microservice
- Serverless
- Essential Storage Service
- Data Process and Analysis
- Data Migration
- Relational Database
- Enterprise Distributed DBMS
- Database SaaS Tool
- CDN and Acceleration
- Network Security
- Endpoint Security
- Business Security
- Application Security
- Domains & Websites
- Big Data
- Voice Technology
- Image Creation
- AI Platform Service
- Natural Language Processing
- Optical Character Recognition
- Interactive Video Services
- Stream Services
- Media On-Demand
- Media Process Services
- Cloud Real-time Rendering
- Game Services
- Education Sevices
- Cloud Resource Management
- Management and Audit Tools
- Monitor and Operation
- Practical Tutorial
- Supporting Isolated Resource Access for Employees
- Enterprise Multi-Account Permissions Management
- Implementing Attribute-Based Access Control for Employee Resource Permissions Management
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- CVM
- VPC
- API Documentation
- User APIs
- Role APIs
- Making API Requests
- Identity Provider APIs
- Policy APIs
Tencent Container Registry
Last updated: 2025-03-26 10:05:07
Fundamental information
| Product | Abbreviation in CAM | Console | Authorization by Tag | Authorization Granularity | IP Restriction |
|---|---|---|---|---|---|
| Tencent Container Registry | tcr | Supported | Supported | Resource level | Partially supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| AuthorizeUserImageBuildConfig | add coding certification | Operation level | * | not supported |
| BatchDeleteImagePersonal | Batch Delete Image Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${Reponame}/${Tags} | Supported |
| BatchDeleteRepositoryPersonal | Batch Delete Repository Personal | Resource level | qcs::${ApiModule}:${Region}:uin/:repo/${RepoNames} | Supported |
| CreateApplicationTokenPersonal | Create Application Token | Operation level | * | Supported |
| CreateApplicationTriggerPersonal | create application trigger personal | Operation level | * | Supported |
| CreateCustomAccount | create custom account | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${instanceid} | Supported |
| CreateGCJob | Create GC Job | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| CreateHelmChart | Create Helm Chart | Resource level | qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname | not supported |
| CreateImageAccelerateService | Create an image acceleration service | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| CreateImageAccelerationService | Create Image Acceleration Service | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| CreateImageLifecyclePersonal | CreateImageLifecyclePersonal | Resource level | qcs::tcr:${region}:uin/${uin}:repo/${RepoName} | Supported |
| CreateImmutableTagRules | CreateImmutable Tag Rule | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| CreateInstance | Create Enterprise Registry Instance | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | not supported |
| CreateInstanceCustomizedDomain | Create Instance Customized Domain | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} qcs::ssl::uin/${uin}:certificate/${CertificateId} |
Supported |
| CreateInternalEndpointDns | CreateInternalEndpointDns | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| CreateMultipleSecurityPolicy | CreateMultipleSecurityPolicy | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${instanceid} | Supported |
| CreateNamespacePersonal | Create Namespace Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${Namespace} | Supported |
| CreateReplicationInstance | CreateReplicationInstance | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| CreateRepo | Create a shared image repository | Resource level | qcs::tcr:${region}:uin/${uin}:repo/${Reponame} | Supported |
| CreateRepositoryPersonal | Create Repository Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${RepoName} | Supported |
| CreateServiceAccount | create service account | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| CreateSignature | Create Signature | Resource level | qcs::tcr:${region}:uin/${uin}:repository/$instanceid/$namespacename/$repositoryname | not supported |
| CreateTagRetentionRule | Create Tag RetentionRule | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| CreateUserPersonal | Create CCR User | Operation level | * | Supported |
| CreateWebhookTriggerPersonal | CreateWebhookTriggerPersonal | Operation level | * | not supported |
| DeleteApplicationTriggerPersonal | delete application trigger | Operation level | * | Supported |
| DeleteCustomAccount | delete custom account | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${instanceid} | Supported |
| DeleteHelmChart | delete helm chart | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| DeleteImageAccelerateService | delete image accelerate service | Resource level | qcs::tcr:${Region}:uin/:instance/${InstanceId} | Supported |
| DeleteImageLifecycleGlobalPersonal | Delete global image tag lifecycle strategy | Resource level | qcs::tcr:$regionid:$accountid:repo/* | Supported |
| DeleteImageLifecyclePersonal | DeleteImageLifecyclePersonal | Resource level | qcs::${ApiModule}:${Region}:uin/:repo/${RepoName} | Supported |
| DeleteImagePersonal | Delete Image Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${Reponame}/${Tag} | Supported |
| DeleteImmutableTagRules | DeleteImmutable Tag Rule | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| DeleteInstance | DeleteI instance | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DeleteInstanceCustomizedDomain | Delete Instance Customized Domain | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DeleteInstanceToken | Delete Instance Token | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| DeleteInternalEndpointDns | DeleteInternalEndpointDns | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DeleteMultipleSecurityPolicy | DeleteMultipleSecurityPolicy | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${instanceId} | Supported |
| DeleteNamespacePersonal | Delete Namespace Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${Namespace} | Supported |
| DeleteReplicationInstance | DeleteReplicationInstance | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DeleteRepository | delete image repository | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| DeleteRepositoryPersonal | Delete Repository Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${Reponame} | Supported |
| DeleteSecurityPolicy | Delete Security Policy | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DeleteServiceAccount | delete service account | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| DeleteTagRetentionRule | Delete Tag RetentionRule | Operation level | * | not supported |
| DeleteWebhookTrigger | Deleting a Webhook Trigger | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| DeleteWebhookTriggerPersonal | DeleteWebhookTriggerPersonal | Operation level | * | not supported |
| DuplicateImagePersonal | DuplicateImagePersonal | Resource level | qcs::${ApiModule}:${Region}:uin/:repo/* | Supported |
| ManageImageLifecycleGlobalPersonal | Set global image tag lifecycle strategy | Resource level | qcs::tcr:$regionid:$accountid:repo/* | Supported |
| ModifyApplicationTriggerPersonal | ModifyApplicationTriggerPersonal | Operation level | * | Supported |
| ModifyCustomAccount | update properties of custom account | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${instanceid} | Supported |
| ModifyImmutableTagRules | ModifyImmutable Tag Rules | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| ModifyInstance | Modify Instance | Resource level | qcs::tcr:$regionid:$accountid:instance/* | Supported |
| ModifyInstanceToken | Modify Instance Token | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| ModifyInstanceTokenValidTime | Modify Instance Token Valid Time | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | not supported |
| ModifyNamespace | Update namespace information | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| ModifyRepository | Update image repository | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| ModifyRepositoryAccessPersonal | ModifyRepositoryAccessPersonal | Resource level | qcs::${ApiModule}:${Region}:uin/:repo/${RepoName} | Supported |
| ModifyRepositoryInfoPersonal | modify repo info personal | Operation level | * | Supported |
| ModifyServiceAccount | update properties of service account | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| ModifyTagRetentionRule | Modify Tag RetentionRule | Operation level | * | not supported |
| ModifyUserPasswordPersonal | Modify CCR Password | Operation level | * | Supported |
| ModifyWebhookTrigger | Update Webhook Trigger | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| PushRepository | Push Repository | Resource level | qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname | not supported |
| PushRepositoryPersonal | Push Repository Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${RepoName} | not supported |
| RenewInstance | Renewal of prepaid instances supports pay-as-you-go subscriptions to yearly and monthly subscriptions during the same period | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| UpdateApplicationTokenPermission | Update Application Token Read Write Permission | Operation level | * | not supported |
| UpdateApplicationTokenPermissionPersonal | Update Application Token Read Write Permission | Operation level | * | Supported |
| UpdateApplicationTokenPersonal | Update Application Token | Operation level | * | Supported |
Other Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| CheckInstanceCustomizedDomains | Check the custom domain name registration status | Operation level | * | not supported |
Read operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| CheckInstanceName | Check whether the instance name to be created conforms to the specification | Operation level | * | not supported |
| CreateInstanceToken | Operation level | * | Supported | |
| CreateNamespace | create namespace | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/* | not supported |
| CreateRepository | create image repository | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| CreateSecurityPolicy | Operation level | * | Supported | |
| CreateWebhookTrigger | Operation level | * | Supported | |
| DeleteNamespace | delete namespace | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| DescribeApplicationTokenPersonal | Describe Application Token | Operation level | * | Supported |
| DescribeApplicationTriggerLogPersonal | describe application trigger | Operation level | * | Supported |
| DescribeApplicationTriggerPersonal | DescribeApplicationTriggerPersonal | Operation level | * | Supported |
| DescribeChartDownloadInfo | DescribeChartDownloadInfo | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeChartUploadInfo | DescribeChartUploadInfo | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeCosInfo | Describe Cos Info | Resource level | qcs::tcr:$regionid:$accountid:instance/${instanceid} | not supported |
| DescribeCustomAccounts | describe custom accounts | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${instanceid} | Supported |
| DescribeDockerHubImagePersonal | DescribeDockerHubImagePersonal | Operation level | * | Supported |
| DescribeDockerHubRepositoryInfoPersonal | DescribeDockerHubRepositoryInfoPersonal | Operation level | * | Supported |
| DescribeDockerHubRepositoryPersonal | DescribeDockerHubRepositoryPersonal | Operation level | * | Supported |
| DescribeExternalEndpointStatus | Describe External Endpoint Status | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeFavorRepositoryPersonal | DescribeFavorRepositoryPersonal | Operation level | * | Supported |
| DescribeGCJobs | Describe GC Latest 10 Jobs | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| DescribeHelmCharts | Describe Helm Charts | Resource level | qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/* | not supported |
| DescribeImageAccelerateService | describe image accelerate service | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| DescribeImageConfigPersonal | DescribeImageConfigPersonal | Operation level | * | Supported |
| DescribeImageFilterPersonal | DescribeImageFilterPersonal | Operation level | * | Supported |
| DescribeImageLifecycleGlobalPersonal | Describe Image Lifecycle Global Personal | Operation level | * | Supported |
| DescribeImageLifecyclePersonal | DescribeImageLifecyclePersonal | Operation level | * | Supported |
| DescribeImageManifests | describe image manifests info | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| DescribeImagePersonal | Used to get the personal version of the mirror warehouse tag list | Operation level | * | Supported |
| DescribeImageVulnerabilityDetails | Query scanned image vulnerability information based on the image version | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| DescribeImages | Query list or specify container list information | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| DescribeImmutableTagRules | DescribeImmutable Tag Rules | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| DescribeInstanceAllForCoding | Coding only - query all instance information | Operation level | * | not supported |
| DescribeInstanceInspection | Get instance inspection result information | Resource level | qcs::tcr:${region}:uin/${uin}:instance/* | Supported |
| DescribeInstanceStatus | Operation level | * | Supported | |
| DescribeInstanceToken | Operation level | * | Supported | |
| DescribeInstances | Describe Instances | Operation level | * | Supported |
| DescribeInternalEndpoints | Describe Internal Endpoints | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeNamespacePersonal | DescribeNamespacePersonal | Operation level | * | Supported |
| DescribeNamespaces | describe namespace info | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/* | not supported |
| DescribeReplication | Describe Replication | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | not supported |
| DescribeReplicationExecutions | Instance synchronization/instance replication policy execution record list | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| DescribeReplicationInstanceCreateTasks | DescribeReplicationInstanceCreateTasks | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeReplicationInstanceSyncStatus | DescribeReplicationInstanceSyncStatus | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeReplicationPolicies | Get the list of instance synchronization rules | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| DescribeReplicationTasks | Instance synchronization/instance replication execution task list | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| DescribeRepositories | describe instance repositories | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} | not supported |
| DescribeRepositoryAllPersonal | DescribeRepositoryAllPersonal | Operation level | * | Supported |
| DescribeRepositoryFilterPersonal | DescribeRepositoryFilterPersonal | Operation level | * | Supported |
| DescribeRepositoryOwnerPersonal | Describe Repository Owner Personal | Operation level | * | not supported |
| DescribeRepositoryPersonal | DescribeRepositoryPersonal | Operation level | * | Supported |
| DescribeSecurityPolicies | Operation level | * | Supported | |
| DescribeServiceAccounts | describe service accounts | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} | Supported |
| DescribeSourceCodeAuthPersonal | DescribeSourceCodeAuthPersonal | Operation level | * | not supported |
| DescribeSystemInfo | return the system information of tcr instance | Resource level | qcs::tcr:${Region}:uin/:instance/${RegistryId} | Supported |
| DescribeTagRetentionExecutionTask | Query version retains execution tasks | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| DescribeTagRetentionRuleLog | Describe Tag RetentionRuleLog | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| DescribeTagRetentionRules | Describe Tag RetentionRules | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/* | not supported |
| DescribeUserPersonal | DescribeUserPersonal | Operation level | * | Supported |
| DescribeUserQuotaPersonal | DescribeUserQuotaPersonal | Operation level | * | Supported |
| DescribeWebhookTrigger | Query Webhook Trigger | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* | not supported |
| DescribeWebhookTriggerLog | query Webhook consumption logs | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${Namespace}/* | not supported |
| DownloadHelmChart | Download Helm Chart | Resource level | qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${ChartName} | not supported |
| ListChartRelease | Query the Chart version list | Resource level | qcs::tcr::uin/${uin}:repository/${RegistryId}/${NameSpaceName}/${RepositoryName} | not supported |
| ManageExternalEndpoint | Operation level | * | Supported | |
| ManageInternalEndpoint | Manage instance intranet access VPC link | Resource level | qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} qcs::vpc:${region}:uin/${uin}:subnet/${subnetId} |
Supported |
| ManageReplication | Operation level | * | Supported | |
| ModifySecurityPolicy | Operation level | * | Supported | |
| PullRepository | Pull Repository | Resource level | qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname | not supported |
| PullRepositoryPersonal | Pull Repository Personal | Resource level | qcs::tcr:${Region}:uin/:repo/${RepoName} | not supported |
| ValidateApplicationTokenPersonal | Validate Application Token | Operation level | * | not supported |
| ValidateNamespaceExistPersonal | ValidateNamespaceExistPersonal | Operation level | * | Supported |
| ValidateRepositoryExistPersonal | ValidateRepositoryExistPersonal | Operation level | * | Supported |
| ValidateUserPersonal | ValidateUserPersonal | Operation level | * | Supported |
List Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| DescribeInstanceCustomizedDomain | Describe Instance Customized Domain | Resource level | qcs::tcr:$regionid:$accountid:instance/$RegistryId | Supported |
| DescribeInternalEndpointDnsStatus | DescribeInternalEndpointDnsStatus | Resource level | qcs::tcr:$regionid:$accountid:instance/* | Supported |
| DescribeReplicationInstances | DescribeReplicationInstances | Resource level | qcs::tcr:$regionid:$accountid:instance/$instanceid | Supported |
| DescribeWebhookTriggerPersonal | DescribeWebhookTriggerPersonal | Operation level | * | Supported |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No