Oracle Cloud Infrastructure Documentation

Details for Container Registry

This topic covers details for writing policies to control access to Oracle Cloud Infrastructure Registry (also known as Container Registry).

Resource-Types

  • repos

Supported Variables

Oracle Cloud Infrastructure Registry supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The repos resource-type can use the following variables:

Variable Variable Type Comments
target.repo.name String Use this variable to control access to specific repositories. For an example policy, see Policies to Control Repository Access.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the repos resource-type includes the same permissions and API operations as the inspect verb, plus the REPOSITORY_READ permission and a number of API operations (e.g., GetContainerRepository, etc.). The use verb covers still another permission and API operation compared to read. Lastly, manage covers more permissions and operations compared to use.

repos

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

REPOSITORY_INSPECT

ListContainerRepositories

ListContainerImages

ListContainerImageSignatures

GetContainerConfiguration

none
read

INSPECT +

REPOSITORY_READ

GetContainerRepository

GetContainerImage

GetContainerImageSignature

none
use

no extra

none
manage

USE +

REPOSITORY_CREATE

REPOSITORY_DELETE

REPOSITORY_UPDATE

REPOSITORY_MANAGE

CreateContainerRepository

DeleteContainerRepository

DeleteContainerImage

RestoreContainerImage

CreateContainerImageSignature

DeleteContainerImageSignature

RemoveContainerVersion

UpdateContainerRepository

ChangeContainerRepositoryCompartment

UpdateContainerConfiguration

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListContainerRepositories REPOSITORY_INSPECT
CreateContainerRepository REPOSITORY_CREATE
GetContainerRepository REPOSITORY_READ
UpdateContainerRepository REPOSITORY_MANAGE
DeleteContainerRepository REPOSITORY_DELETE
ChangeContainerRepositoryCompartment REPOSITORY_MANAGE
ListContainerImages REPOSITORY_INSPECT
GetContainerImage REPOSITORY_READ
DeleteContainerImage REPOSITORY_UPDATE
RestoreContainerImage REPOSITORY_UPDATE
RemoveContainerVersion REPOSITORY_UPDATE
ListContainerImageSignatures REPOSITORY_INSPECT
GetContainerImageSignature REPOSITORY_READ
CreateContainerImageSignature REPOSITORY_MANAGE
DeleteContainerImageSignature REPOSITORY_MANAGE
GetContainerConfiguration REPOSITORY_INSPECT
UpdateContainerConfiguration REPOSITORY_MANAGE