tencent cloud

典型场景策略配置

注意：

以下场景策略均只面向个人版使用场景。

• 授予子账号容器镜像服务（TCR）个人版内全部资源的全读写操作权限。

  {
  "version": "2.0",
  "statement": [{
    "action": [
        "tcr:*"
    ],
    "resource": [
        "qcs::tcr:::repo/*"
    ],
    "effect": "allow"
  }]
  }
  

• 授予子账号 TCR 个人版（原容器服务 TKE 内镜像仓库）内全部资源的只读操作权限。

  {
  "version": "2.0",
  "statement": [{
    "action": [
        "tcr:Describe*",
        "tcr:PullRepository*"
    ],
    "resource": [
        "qcs::tcr:::repo/*"
    ],
    "effect": "allow"
  }]
  }
  

• 授权子账号管理指定地域内的指定命名空间，例如默认地域内命名空间 team-01。

  {
  "version": "2.0",
  "statement": [{
        "action": [
            "tcr:*"
        ],
        "resource": [
            "qcs::tcr:::repo/team-01",
            "qcs::tcr:::repo/team-01/*"
        ],
        "effect": "allow"
    }
  ]
  }
  

• 授权子账号只读某个镜像仓库，即仅能拉取该仓库内镜像，无法删除仓库、修改仓库属性及推送镜像，例如默认地域内命名空间 team-01 内的镜像仓库 repo-demo。

  {
  "version": "2.0",
  "statement": [{
        "action": [
            "tcr:Describe*",
            "tcr:PullRepositoryPersonal"
        ],
        "resource": [
            "qcs::tcr:::repo/team-01",
            "qcs::tcr:::repo/team-01/repo-demo",
            "qcs::tcr:::repo/team-01/repo-demo/*"
        ],
        "effect": "allow"
    }
  ]
  }