Example of Registry and Repository Policies

After creating the Samsung Cloud Platform Container Registry (hereinafter SCR) service, an endpoint is provided. This endpoint provides an example policy that grants specific permissions when using SCR.

Allow pulling all repository images created in all registries

If you apply the ScrPullOnlyAccess policy provided as an IAM default policy, you can grant IAM users and user groups permission to pull all repository images created in all registries within the account.

To allow pulling all repository images created in all registries, follow these steps.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, select ScrPullOnlyAccess. 3. Policy Details navigate to the page.
4. On the Policy Details page, select the Connected Targets tab.
5. On the Connection Target tab page, connect the target to which you will grant permissions.
   • User: Click User Connection above the list to go to the User Connection page. * Select the user to connect and click Done to complete the user connection.
   • User Group: Click User Group Link above the list to go to the User Group Link page. * Select the user group to connect and click Done, and the user group connection will be completed.
   • Role: Click Role Link above the list to go to the role link page. * Select the role to connect and click Done to complete the role linking.

Allow pulling and pushing all repository images created in all registries

If you apply the ScrPullPushOnlyAccess policy provided as an IAM default policy, you can grant IAM users and user groups permission to allow Pull and Push for all repository images created in all registries within the account.

To allow Pull and Push for all Repository Images created in all Registries, follow these steps.

1. Click the All Services > Management > IAM menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, select ScrPullPushOnlyAccess. 3. Navigate to the Policy Details page.
4. On the Policy Details page, select the Connection Targets tab.
5. On the Connection Target tab page, connect the target to which you will grant permissions.
   • User: Click User Connection above the list to go to the User Connection page. * Select the user to connect and click Done to complete the user connection.
   • User Group: Clicking User Group Link above the list navigates to the User Group Link page. * Select the user group to connect and click Done, and the user group connection will be completed.
   • Role: Click Role Link above the list to go to the role link page. * Select the role to connect and click Complete, then the role connection will be completed.

Allow pulling all repository images created in a specific registry

By applying the ScrPullOnlyAccess policy provided as an IAM default policy, you can create a policy that allows only Pull for all repository images created in a specific Registry.

To create a pull permission policy for all repository images created in a specific registry, follow these steps.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, click Create Policy.
4. On the Policy Creation page, enter the Basic Information Input fields and click Next.
5. On the Permission Settings page, click Load Policy.
6. Load Policy in the window’s list, select ScrPullOnlyAccess and click OK.
7. On the Permission Settings page, select the Individual Resource of the Applied Resources item.
8. Click Add Resource in the applied resource list.
9. In the Add Resource window, select container-registy from the resource type list. 9. In the resource detail list, check the registy resource you want to add, then click Confirm.
10. Check the individual resources you added in the applied resources list and click Next.
11. Check the input information and click Create. 11. Policy creation is complete.

Allow Image Pull and Push for a Specific Repository Created in a Specific Registry

If you apply the ScrPullPushOnlyAccess policy provided as a default IAM policy, you can create a policy that allows Pull and Push for a specific repository image created in a particular registry.

To create a policy that allows Pull and Push for a specific Repository Image created in a specific Registry, follow these steps.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, click Create Policy.
4. On the Policy List page, enter the items of Basic Information Input and click Next.
5. On the Permission Settings page, click Load Policy.
6. In the Load Policy window’s list, select ScrPullPushOnlyAccess and click OK.
7. On the Permission Settings page, select the Individual Resource of the Applied Resources item.
8. Click Add Resource in the applied resource list.
9. In the Add Resource dialog, select the following items.
   • Select container-registy from the resource type list. * In the resource detail list, check the registry resource to add, then click Confirm.
   • Select the repository from the resource type list. * In the resource detail list, check the repository resource to add, then click Confirm.
10. Verify the individual resources you added in the applied resource list and click Next.
11. Check the input information and click Create. 12. Policy creation is complete.