Function Overview

This topic describes how to use IAM to implement fine-grained permissions control for your SWR resources. With IAM, you can:

• Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing SWR resources.
• Grant only the permissions required for users to perform a specific task.
• Entrust a HUAWEI CLOUD account or cloud service to perform efficient O&M on your SWR resources.

If your HUAWEI CLOUD account does not require individual IAM users, skip this section.

If your container engine client is an ECS or CCE node, you can push an image over two types of networks.

• If your client and the image repository are in the same region, you can push an image over private networks.
• If your client and the image repository are in different regions, you can push an image over public networks and the client needs to be bound to an EIP.

• Each image layer uploaded through the client cannot exceed 10 GB.
• Your container engine client version must be 1.11.2 or later.

The user has the programmatic access permission. If the user does not have the permission, log in to IAM as the administrator and grant the user the programmatic access permission.

• A maximum of 10 files can be uploaded at a time. The size of a single file (including the decompressed files) cannot exceed 2 GB.
• The image package is created using container engine 1.11.2 or later.

You can run the docker pull command to pull images from SWR.

You can share your private images with other users and grant the users permissions to pull the images.

The user with whom you shared the image can then log in to the SWR console to view the image by choosing My Images > Shared Images. On the tab page, the user can click the target image to check its detailed information, including the image tag and image pull command.

SWR works with Cloud Container Engine (CCE) to enable automatic application updates. This could be realized by adding a trigger to the desired images.

CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN South-Guangzhou, CN-Hong Kong, and AP-Singapore regions

SWR provides a large number of public images. You can add public container images to your favorites and push them to your repository.

Organizations enable efficient management of images. Organizations are used to isolate image repositories. With each organization being limited to one company or department, images can be managed in a centralized and efficient manner. An image name needs to be unique within an organization. The same IAM user can access different organizations as long as the user has sufficient permissions, as shown in Figure 1.

You can grant different permissions, namely, read, write, and manage, to IAM users under the same account. For details, see User Permissions.

To manage SWR permissions, you can use Identity and Access Management (IAM). For details about how to set permissions, see Creating a User and Granting SWR Permissions. If you have the SWR Admin or Tenant Administrator permission, you become an admin user of SWR. You can grant permissions to other IAM users in SWR.