tencent cloud

Cloud Access Management

Product Introduction
CAM Overview
Features
Scenarios
Basic Concepts
Use Limits
User Types
Purchase Guide
Getting Started
Creating Admin User
Creating and Authorizing Sub-account
Logging In to Console with Sub-account
User Guide
Overview
Users
Access Key
User Groups
Role
Identity Provider
Policies
Permissions Boundary
Troubleshooting
Downloading Security Analysis Report
CAM-Enabled Role
Overview
Compute
Container
Microservice
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Database SaaS Service
Networking
CDN and Acceleration
Network Security
Data Security
Application Security
Domains & Websites
Big Data
Middleware
Interactive Video Services
Real-Time Interaction
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
CAM-Enabled API
Overview
Compute
Edge Computing
Container
Distributed cloud
Microservice
Serverless
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Networking
CDN and Acceleration
Network Security
Endpoint Security
Data Security
Business Security
Application Security
Domains & Websites
Office Collaboration
Big Data
Voice Technology
Image Creation
Tencent Big Model
AI Platform Service
Natural Language Processing
Optical Character Recognition
Middleware
Communication
Interactive Video Services
Real-Time Interaction
Stream Services
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Education Sevices
Medical Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
Use Cases
Security Practical Tutorial
Multi-Identity Personnel Permission Management
Authorizing Certain Operations by Tag
Supporting Isolated Resource Access for Employees
Enterprise Multi-Account Permissions Management
Reviewing Employee Operation Records on Tencent Cloud
Implementing Attribute-Based Access Control for Employee Resource Permissions Management
During tag-based authentication, only tag key matching is supported
Business Use Cases
TencentDB for MySQL
CLB
CMQ
COS
CVM
VPC
VOD
Others
API Documentation
History
Introduction
API Category
Making API Requests
User APIs
Policy APIs
Role APIs
Identity Provider APIs
Data Types
Error Codes
FAQs
Role
Key
Others
CAM Users and Permissions
Glossary
DocumentationCloud Access ManagementCAM-Enabled APIContainerTencent Container Registry

Tencent Container Registry

PDF
Focus Mode
Font Size
Last updated: 2026-03-28 09:26:10

Fundamental information

Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
Tencent Container Registry tcr Supported Supported Resource level Partially supported

Note:

The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

  • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
  • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
  • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

API authorization granularity

Two authorization granularity levels of API are supported: resource level, and operation level.

  • Resource level: It supports the authorization of a specific resource.
  • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

Write operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
AuthorizeUserImageBuildConfig add coding certification Operation level * not supported
BatchDeleteImagePersonal Batch Delete Image Personal Resource level qcs::tcr:${Region}:uin/:repo/${Reponame}/${Tags} Supported
BatchDeleteRepositoryPersonal Batch Delete Repository Personal Resource level qcs::${ApiModule}:${Region}:uin/:repo/${RepoNames} Supported
CreateApplicationTokenPersonal Create Application Token Operation level * Supported
CreateApplicationTriggerPersonal create application trigger personal Operation level * Supported
CreateGCJob Create GC Job Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
CreateHelmChart Create Helm Chart Resource level qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname not supported
CreateImageAccelerateService Create an image acceleration service Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
CreateImageAccelerationService Create Image Acceleration Service Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
CreateImmutableTagRules CreateImmutable Tag Rule Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
CreateInstance Create Enterprise Registry Instance Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid not supported
CreateInstanceCustomizedDomain Create Instance Customized Domain Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId}
qcs::ssl::uin/${uin}:certificate/${CertificateId}		 Supported
CreateInstanceToken CreateInstanceToken Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
CreateInternalEndpointDns CreateInternalEndpointDns Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
CreateMultipleSecurityPolicy CreateMultipleSecurityPolicy Resource level qcs::tcr:${region}:uin/${uin}:instance/${instanceid} Supported
CreateNamespace create namespace Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/* not supported
CreateNamespacePersonal Create Namespace Personal Resource level qcs::tcr:${Region}:uin/:repo/${Namespace} Supported
CreateReplicationInstance CreateReplicationInstance Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
CreateRepo Create a shared image repository Resource level qcs::tcr:${region}:uin/${uin}:repo/${Reponame} Supported
CreateRepository create image repository Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} not supported
CreateRepositoryPersonal Create Repository Personal Resource level qcs::tcr:${Region}:uin/:repo/${RepoName} Supported
CreateSecurityPolicy Create a whitelist policy for public network access to an instance Resource level qcs::tcr::uin/${uin}:instance/${RegistryId} Supported
CreateServiceAccount create service account Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
CreateSignature Create Signature Resource level qcs::tcr:${region}:uin/${uin}:repository/$instanceid/$namespacename/$repositoryname not supported
CreateTagRetentionRule Create Tag RetentionRule Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
CreateUserPersonal Create CCR User Operation level * Supported
CreateWebhookTrigger CreateWebhookTrigger Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
CreateWebhookTriggerPersonal CreateWebhookTriggerPersonal Operation level * not supported
DeleteAIModel DeleteAIModel Operation level * not supported
DeleteApplicationTriggerPersonal delete application trigger Operation level * Supported
DeleteImageAccelerateService delete image accelerate service Resource level qcs::tcr:${Region}:uin/:instance/${InstanceId} Supported
DeleteImageLifecycleGlobalPersonal Delete global image tag lifecycle strategy Operation level * Supported
DeleteImagePersonal Delete Image Personal Resource level qcs::tcr:${Region}:uin/:repo/${Reponame}/${Tag} Supported
DeleteImmutableTagRules DeleteImmutable Tag Rule Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DeleteInstance DeleteI instance Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DeleteInstanceCustomizedDomain Delete Instance Customized Domain Operation level * Supported
DeleteInstanceToken Delete Instance Token Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DeleteInternalEndpointDns DeleteInternalEndpointDns Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DeleteMultipleSecurityPolicy DeleteMultipleSecurityPolicy Resource level qcs::tcr:${region}:uin/${uin}:instance/${instanceId} Supported
DeleteNamespace delete namespace Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/* not supported
DeleteNamespacePersonal Delete Namespace Personal Resource level qcs::tcr:${Region}:uin/:repo/${Namespace} Supported
DeleteReplicationInstance DeleteReplicationInstance Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DeleteRepository delete image repository Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} not supported
DeleteRepositoryPersonal Delete Repository Personal Resource level qcs::tcr:${Region}:uin/:repo/${Reponame} Supported
DeleteSecurityPolicy Delete Security Policy Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DeleteServiceAccount delete service account Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
DeleteSkill DeleteSkill Operation level * not supported
DeleteTagRetentionRule Delete Tag RetentionRule Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
DeleteWebhookTrigger Deleting a Webhook Trigger Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
DeleteWebhookTriggerPersonal DeleteWebhookTriggerPersonal Operation level * not supported
DownloadHelmChart Download Helm Chart Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${ChartName} not supported
DuplicateImagePersonal DuplicateImagePersonal Operation level * Supported
ManageExternalEndpoint Managing instance public network access Resource level qcs::tcr::uin/${uin}:instance/${RegistryId} Supported
ManageImageLifecycleGlobalPersonal Set global image tag lifecycle strategy Operation level * Supported
ManageInternalEndpoint Manage instance intranet access VPC link Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId}
qcs::vpc:${region}:uin/${uin}:subnet/${subnetId}		 Supported
ManageReplication Manage instance synchronization Resource level qcs::tcr::uin/${uin}:instance/${SourceRegistryId} Supported
ModifyApplicationTriggerPersonal ModifyApplicationTriggerPersonal Operation level * Supported
ModifyImmutableTagRules ModifyImmutable Tag Rules Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
ModifyInstance Modify Instance Resource level qcs::tcr:$regionid:$accountid:instance/* Supported
ModifyInstanceStorage Modify TCR instance storage configuration Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
ModifyInstanceToken Modify Instance Token Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
ModifyInstanceTokenValidTime Modify Instance Token Valid Time Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid not supported
ModifyNamespace Update namespace information Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
ModifyRepository Update image repository Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} not supported
ModifyRepositoryAccessPersonal ModifyRepositoryAccessPersonal Resource level qcs::${ApiModule}:${Region}:uin/:repo/${RepoName} Supported
ModifyRepositoryInfoPersonal modify repo info personal Operation level * Supported
ModifySecurityPolicy ModifySecurityPolicy Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
ModifyServiceAccount update properties of service account Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
ModifyTagRetentionRule Modify Tag RetentionRule Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
ModifyUserPasswordPersonal Modify CCR Password Operation level * Supported
ModifyWebhookTrigger Update Webhook Trigger Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
PullRepository Pull Repository Resource level qcs::tcr:${region}:uin/${uin}:repository/${instanceid}/${namespacename}/${repositoryname} not supported
PullRepositoryPersonal Pull Repository Personal Resource level qcs::tcr:${Region}:uin/:repo/${RepoName} not supported
PushRepository Push Repository Resource level qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname not supported
PushRepositoryPersonal Push Repository Personal Resource level qcs::tcr:${Region}:uin/:repo/${RepoName} not supported
RenewInstance Renewal of prepaid instances supports pay-as-you-go subscriptions to yearly and monthly subscriptions during the same period Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
TerminateGCJob terminate garbage collection job Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
UpdateApplicationTokenPermission Update Application Token Read Write Permission Operation level * not supported
UpdateApplicationTokenPermissionPersonal Update Application Token Read Write Permission Operation level * Supported
UpdateApplicationTokenPersonal Update Application Token Operation level * Supported

Read operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
CheckInstanceCustomizedDomains Check the custom domain name registration status Operation level * not supported
CheckInstanceName Check whether the instance name to be created conforms to the specification Operation level * not supported
DeleteReplicationRule DeleteReplicationRule Resource level qcs::tcr:${Region}:uin/:instance/${SourceRegistryId} Supported
DescribeAIModelVersionDetail DescribeAIModelVersionDetail Operation level * not supported
DescribeApplicationTokenPersonal Describe Application Token Operation level * Supported
DescribeApplicationTriggerLogPersonal describe application trigger Operation level * Supported
DescribeApplicationTriggerPersonal DescribeApplicationTriggerPersonal Operation level * Supported
DescribeChartDownloadInfo DescribeChartDownloadInfo Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeChartUploadInfo DescribeChartUploadInfo Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeCosInfo Describe Cos Info Resource level qcs::tcr:$regionid:$accountid:instance/${instanceid} not supported
DescribeDockerHubImagePersonal DescribeDockerHubImagePersonal Operation level * Supported
DescribeDockerHubRepositoryInfoPersonal DescribeDockerHubRepositoryInfoPersonal Operation level * Supported
DescribeDockerHubRepositoryPersonal DescribeDockerHubRepositoryPersonal Operation level * Supported
DescribeExternalEndpointStatus Describe External Endpoint Status Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeFavorRepositoryPersonal DescribeFavorRepositoryPersonal Operation level * Supported
DescribeGCJobs Describe GC Latest 10 Jobs Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeHelmCharts Describe Helm Charts Resource level qcs::tcr:$regionid:$accountid:repository/$instanceid/$namespacename/* not supported
DescribeImageAccelerateService describe image accelerate service Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeImageConfigPersonal DescribeImageConfigPersonal Operation level * Supported
DescribeImageFilterPersonal DescribeImageFilterPersonal Operation level * Supported
DescribeImageLifecycleGlobalPersonal Describe Image Lifecycle Global Personal Operation level * Supported
DescribeImageLifecyclePersonal DescribeImageLifecyclePersonal Operation level * Supported
DescribeImageManifests describe image manifests info Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} not supported
DescribeImagePersonal Used to get the personal version of the mirror warehouse tag list Resource level qcs::tcr::uin/${uin}:repo/${Reponame} Supported
DescribeImageVulnerabilityDetails Query scanned image vulnerability information based on the image version Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
DescribeImages Query list or specify container list information Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} not supported
DescribeImmutableTagRules DescribeImmutable Tag Rules Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeInstanceAllForCoding Coding only - query all instance information Operation level * not supported
DescribeInstanceStatus Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeInstanceToken Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeInstances Describe Instances Operation level * Supported
DescribeInternalEndpoints Describe Internal Endpoints Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeNamespacePersonal DescribeNamespacePersonal Operation level * Supported
DescribeNamespaces describe namespace info Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/* not supported
DescribeRegions List TCR available areas Operation level * not supported
DescribeReplication Describe Replication Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid not supported
DescribeReplicationExecutions Instance synchronization/instance replication policy execution record list Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
DescribeReplicationInstanceCreateTasks DescribeReplicationInstanceCreateTasks Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeReplicationInstanceSyncStatus DescribeReplicationInstanceSyncStatus Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeReplicationPolicies Get the list of instance synchronization rules Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
DescribeReplicationTasks Instance synchronization/instance replication execution task list Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
DescribeRepositories describe instance repositories Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/${RepositoryName} not supported
DescribeRepositoryAllPersonal DescribeRepositoryAllPersonal Operation level * Supported
DescribeRepositoryFilterPersonal DescribeRepositoryFilterPersonal Operation level * Supported
DescribeRepositoryOwnerPersonal Describe Repository Owner Personal Operation level * not supported
DescribeRepositoryPersonal DescribeRepositoryPersonal Operation level * Supported
DescribeSecurityPolicies Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeServiceAccounts describe service accounts Resource level qcs::tcr:${region}:uin/${uin}:instance/${RegistryId} Supported
DescribeSkillDetail DescribeSkillDetail Operation level * not supported
DescribeSkillDownloadInfo DescribeSkillDownloadInfo Operation level * not supported
DescribeSystemInfo return the system information of tcr instance Resource level qcs::tcr:${Region}:uin/:instance/${RegistryId} Supported
DescribeTagRetentionExecutionTask Query version retains execution tasks Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${NamespaceName}/* not supported
DescribeTagRetentionRules Describe Tag RetentionRules Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/* not supported
DescribeUserPersonal DescribeUserPersonal Operation level * Supported
DescribeUserQuotaPersonal DescribeUserQuotaPersonal Operation level * Supported
DescribeWebhookTrigger Query Webhook Trigger Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NamespaceName}/* not supported
DescribeWebhookTriggerLog query Webhook consumption logs Resource level qcs::tcr:${Region}:uin/${Uin}:repository/${RegistryId}/${Namespace}/* not supported
ListAIModelVersions ListAIModelVersions Operation level * not supported
ListAIModels ListAIModels Operation level * not supported
ListChartRelease Query the Chart version list Resource level qcs::tcr::uin/${uin}:repository/${RegistryId}/${NameSpaceName}/${RepositoryName} not supported
ListSkillVersions ListSkillVersions Operation level * not supported
ListSkills ListSkills Operation level * not supported
ValidateApplicationTokenPersonal Validate Application Token Operation level * Supported
ValidateNamespaceExistPersonal ValidateNamespaceExistPersonal Operation level * Supported
ValidateRepositoryExistPersonal ValidateRepositoryExistPersonal Operation level * Supported
ValidateUserPersonal ValidateUserPersonal Operation level * Supported

List Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
DescribeInstanceCustomizedDomain Describe Instance Customized Domain Resource level qcs::tcr:$regionid:$accountid:instance/$RegistryId Supported
DescribeInternalEndpointDnsStatus DescribeInternalEndpointDnsStatus Operation level * Supported
DescribeReplicationInstances DescribeReplicationInstances Resource level qcs::tcr:$regionid:$accountid:instance/$instanceid Supported
DescribeWebhookTriggerPersonal DescribeWebhookTriggerPersonal Operation level * Supported
Previous Topic: Tencent Cloud MeshNext Topic: Tencent Kubernetes Engine Distributed Cloud Center

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback