Artifact Registry IAM Policies

Create IAM policies to control who has access to Artifact Registry resources, and to control the type of access for each group of users.

By default, only users in the Administrators group have access to all Artifact Registry resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.

Resource-Types

The following resource types are related to Artifact Registry.

To assign permissions to all Artifact Registry resources, use the aggregate type:

  • all-artifacts

To assign permissions to individual resource types:

  • artifact-repositories
  • generic-artifacts

A policy that uses <verb> all-artifacts is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Note

The aggregate resource type all-artifacts covers four resources. Two of these resources belong to Artifact Registry.

all-artifacts:

  • artifact-repositories (Artifact Registry)
  • generic-artifacts (Artifact Registry)
  • instance-images (Compute)
  • repos (Container Registry)

For details on Artifact Registry policies, continue to the next topics. For other services:

Details for Verb + Resource-Type Combinations

Identify the permissions and API operations covered by each verb for Artifact Registry resources.

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

artifact-repositories

This table lists the permissions and the APIs that are fully covered by that permission, for the artifact-repositories resource.

The artifact-repositories resource has no API that requires more than one permission.

Verbs Permissions APIs Fully Covered
inspect ARTIFACT_REPOSITORY_INSPECT ListRepositories
read

inspect+

ARTIFACT_REPOSITORY_READ

inspect+

GetRepository

use

read+

ARTIFACT_REPOSITORY_UPDATE

read+

UpdateRepository

manage

use+

ARTIFACT_REPOSITORY_CREATE

ARTIFACT_REPOSITORY_DELETE

ARTIFACT_REPOSITORY_MOVE

use+

CreateRepository

DeleteRepository

ChangeRepositoryCompartment

generic-artifacts

This table lists the permissions and the APIs that are fully covered by that permission, for the generic-artifacts resource.

The generic-artifacts resource has no API that requires more than one permission.

Verbs Permissions APIs Fully Covered
inspect GENERIC_ARTIFACT_INSPECT ListGenericArtifacts
read

inspect+

GENERIC_ARTIFACT_READ

inspect+

GetGenericArtifact

GetGenericArtifactContent

GetGenericArtifactByPath

GetGenericArtifactContentByPath

use

read+

GENERIC_ARTIFACT_UPDATE

read+

UpdateGenericArtifact

UpdateGenericArtifactByPath

manage

use+

GENERIC_ARTIFACT_CREATE

GENERIC_ARTIFACT_DELETE

use+

PutGenericArtifactContentByPath

DeleteGenericArtifact

DeleteGenericArtifactByPath

Permissions Required for Each API Operation

The following table lists the Artifact Registry API operations in a logical order, grouped by resource type.

For more information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListRepositories ARTIFACT_REPOSITORY_INSPECT
CreateRepository ARTIFACT_REPOSITORY_CREATE
DeleteRepository ARTIFACT_REPOSITORY_DELETE
GetRepository ARTIFACT_REPOSITORY_READ
UpdateRepository ARTIFACT_REPOSITORY_UPDATE
ChangeRepositoryCompartment ARTIFACT_REPOSITORY_MOVE
ListGenericArtifacts GENERIC_ARTIFACT_INSPECT
DeleteGenericArtifact GENERIC_ARTIFACT_DELETE
GetGenericArtifact GENERIC_ARTIFACT_READ
UpdateGenericArtifact GENERIC_ARTIFACT_UPDATE
GetGenericArtifactContent GENERIC_ARTIFACT_READ
DeleteGenericArtifactByPath GENERIC_ARTIFACT_DELETE
GetGenericArtifactByPath GENERIC_ARTIFACT_READ
UpdateGenericArtifactByPath GENERIC_ARTIFACT_UPDATE
GetGenericArtifactContentByPath GENERIC_ARTIFACT_READ
PutGenericArtifactContentByPath GENERIC_ARTIFACT_CREATE

Policy Examples

Learn about Artifact Registry IAM policies using examples.

  • Allow users in the group RegistryAdmins to create, update, manage, and delete all Artifact Registry resources in the entire tenancy:

    Allow group RegistryAdmins to manage all-artifacts in tenancy
  • Allow users in the group RegistryAuditors to view repositories and their artifacts in the entire tenancy:

    Allow group RegistryAuditors to read all-artifacts in tenancy
  • Allow users in the group ArtifactAdmins to create, update, and delete generic artifacts in the compartment SalesApps:

    Allow group ArtifactAdmins to manage generic-artifacts in compartment SalesApps