Help Center/ SoftWare Repository for Container/ API Reference (Enterprise Edition)/ API/ Image Signing Management/ Modifying an Image Signing Policy

Updated on 2025-09-26 GMT+08:00

Online Debugging

CLI Examples

View PDF

Modifying an Image Signing Policy

Function

This API is used to modify an image signing policy.

Constraints

None.

Calling Method

For details, see Calling APIs.

URI

PUT /v2/{project_id}/instances/{instance_id}/namespaces/{namespace_name}/signature/policies/{policy_id}

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID.
instance_id	Yes	String	ID of an SWR Enterprise Edition instance.
namespace_name	Yes	String	Namespace name.
policy_id	Yes	Integer	Policy ID.

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is the user token.

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
name	Yes	String	Name of an image signing policy. The value can contain 1 to 256 characters. Only letters, digits, underscores (_), and hyphens (-) are allowed.
description	No	String	Description of an image signing policy.
enabled	Yes	Boolean	Whether to enable a resource.
signature_method	Yes	String	Signing mode. The value can be KMS.
signature_algorithm	Yes	String	Signing algorithm. The key algorithm EC_P256 of KMS corresponds to ECDSA_SHA_256, EC_P384 corresponds to ECDSA_SHA_384, and SM2 corresponds to SM2DSA_SM3.
signature_key	Yes	String	Key for image signing.
trigger	Yes	TriggerConfig object	Triggering mode.
scope_rules	Yes	Array of SignScopeRule objects	Application scope.

**Table 4** TriggerConfig
Parameter	Mandatory	Type	Description
type	Yes	String	Trigger type. For image signing and retention policies, the options are manual and scheduled (scheduled + manual). For image replication policies, the options are manual, scheduled (scheduled + manual), and event_based (event-triggered + manual).
trigger_settings	No	TriggerSetting object	Trigger settings. This parameter is required only when type is set to scheduled.

**Table 5** TriggerSetting
Parameter	Mandatory	Type	Description
cron	No	String	Cron settings, in the format of '* * * * * *'. cron is based on the UTC time.

**Table 6** SignScopeRule
Parameter	Mandatory	Type	Description
tag_selectors	Yes	Array of SignRuleSelector objects	Artifact tag selector. Currently, the value length must be 1.
scope_selectors	Yes	Map<String,Array<SignRuleSelector>>	Artifact repository selector. Currently, only repository is supported, and the value length must be 1.
repo_scope_mode	Yes	String	Repository selection method. The value can be regular or selection. regular is required for frontend display and optional for API calling.

**Table 7** SignRuleSelector
Parameter	Mandatory	Type	Description
kind	Yes	String	Matching type. Currently, doublestar is the only value.
decoration	Yes	String	Selector matching type. The value can be repoMatches.
pattern	Yes	String	Selector matching pattern. The maximum length is 512 characters. The regular expression can be nginx-* or {repo1, repo2}. : matches any field that does not contain a slash (/). *: matches any field that contains a slash (/). ?: matches any single character except a slash (/). {option 1, option 2, ...}: matches any of the options.
extras	No	String	Reserved field. In an image signing policy, if an artifact without a tag is signed, {"untagged":true} is transferred.

Response Parameters

Status code: 200

The image signing policy is updated successfully.

Status code: 400

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason.

Status code: 401

**Table 9** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason.

Status code: 403

**Table 10** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason.

Status code: 404

**Table 11** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason.

Status code: 500

**Table 12** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	Detailed rejection reason after encryption. You can call the API decode-authorization-message of STS to decrypt the reason.

Example Requests

PUT https://{endpoint}/v2/{project_id}/instances/{instance_id}/namespaces/{namespace_name}/replication/policies/{policy_id}

{
  "name" : "test11",
  "scope_rules" : [ {
    "repo_scope_mode" : "regular",
    "tag_selectors" : [ {
      "kind" : "doublestar",
      "decoration" : "matches",
      "pattern" : "**",
      "extras" : "{\"untagged\":true}"
    } ],
    "scope_selectors" : {
      "repository" : [ {
        "kind" : "doublestar",
        "decoration" : "repoMatches",
        "pattern" : "**"
      } ]
    }
  } ],
  "enabled" : true,
  "trigger" : {
    "trigger_settings" : {
      "cron" : ""
    },
    "type" : "manual"
  },
  "signature_method" : "KMS",
  "signature_algorithm" : "ECDSA_SHA_384",
  "signature_key" : "668985d5-919d-4c51-9293-eb846c78cbf0"
}

Example Responses

None

SDK Sample Code

The SDK sample code is as follows.

Java

    
     
       
       
         package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.swr.v2.region.SwrRegion;
import com.huaweicloud.sdk.swr.v2.*;
import com.huaweicloud.sdk.swr.v2.model.*;

import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.util.HashMap;

public class UpdateInstanceSignPolicySolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        SwrClient client = SwrClient.newBuilder()
                .withCredential(auth)
                .withRegion(SwrRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateInstanceSignPolicyRequest request = new UpdateInstanceSignPolicyRequest();
        request.withInstanceId("{instance_id}");
        request.withNamespaceName("{namespace_name}");
        request.withPolicyId({policy_id});
        UpdateSignaturePolicyRequestBody body = new UpdateSignaturePolicyRequestBody();
        List<SignRuleSelector> listScopeSelectorsScopeSelectors = new ArrayList<>();
        listScopeSelectorsScopeSelectors.add(
            new SignRuleSelector()
                .withKind("doublestar")
                .withDecoration("repoMatches")
                .withPattern("**")
        );
        Map<String, List<SignRuleSelector>> listScopeRulesScopeSelectors = new HashMap<>();
        listScopeRulesScopeSelectors.put("repository", listScopeSelectorsScopeSelectors);
        List<SignRuleSelector> listScopeRulesTagSelectors = new ArrayList<>();
        listScopeRulesTagSelectors.add(
            new SignRuleSelector()
                .withKind("doublestar")
                .withDecoration("matches")
                .withPattern("**")
                .withExtras("{"untagged":true}")
        );
        List<SignScopeRule> listbodyScopeRules = new ArrayList<>();
        listbodyScopeRules.add(
            new SignScopeRule()
                .withTagSelectors(listScopeRulesTagSelectors)
                .withScopeSelectors(listScopeRulesScopeSelectors)
                .withRepoScopeMode("regular")
        );
        TriggerSetting triggerSettingsTrigger = new TriggerSetting();
        triggerSettingsTrigger.withCron("");
        TriggerConfig triggerbody = new TriggerConfig();
        triggerbody.withType("manual")
            .withTriggerSettings(triggerSettingsTrigger);
        body.withScopeRules(listbodyScopeRules);
        body.withTrigger(triggerbody);
        body.withSignatureKey("668985d5-919d-4c51-9293-eb846c78cbf0");
        body.withSignatureAlgorithm(UpdateSignaturePolicyRequestBody.SignatureAlgorithmEnum.fromValue("ECDSA_SHA_384"));
        body.withSignatureMethod(UpdateSignaturePolicyRequestBody.SignatureMethodEnum.fromValue("KMS"));
        body.withEnabled(true);
        body.withName("test11");
        request.withBody(body);
        try {
            UpdateInstanceSignPolicyResponse response = client.updateInstanceSignPolicy(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

        

      

    
   

Python

    
     
       
       
         # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkswr.v2.region.swr_region import SwrRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkswr.v2 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = SwrClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(SwrRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateInstanceSignPolicyRequest()
        request.instance_id = "{instance_id}"
        request.namespace_name = "{namespace_name}"
        request.policy_id = {policy_id}
        listScopeSelectorsScopeSelectors = [
            SignRuleSelector(
                kind="doublestar",
                decoration="repoMatches",
                pattern="**"
            )
        ]
        listScopeSelectorsScopeRules = {
            "repository": listScopeSelectorsScopeSelectors
        }
        listTagSelectorsScopeRules = [
            SignRuleSelector(
                kind="doublestar",
                decoration="matches",
                pattern="**",
                extras="{"untagged":true}"
            )
        ]
        listScopeRulesbody = [
            SignScopeRule(
                tag_selectors=listTagSelectorsScopeRules,
                scope_selectors=listScopeSelectorsScopeRules,
                repo_scope_mode="regular"
            )
        ]
        triggerSettingsTrigger = TriggerSetting(
            cron=""
        )
        triggerbody = TriggerConfig(
            type="manual",
            trigger_settings=triggerSettingsTrigger
        )
        request.body = UpdateSignaturePolicyRequestBody(
            scope_rules=listScopeRulesbody,
            trigger=triggerbody,
            signature_key="668985d5-919d-4c51-9293-eb846c78cbf0",
            signature_algorithm="ECDSA_SHA_384",
            signature_method="KMS",
            enabled=True,
            name="test11"
        )
        response = client.update_instance_sign_policy(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

        

      

    
   

Go

    
     
       
       
         package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    swr "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/swr/v2"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/swr/v2/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/swr/v2/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := swr.NewSwrClient(
        swr.SwrClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateInstanceSignPolicyRequest{}
	request.InstanceId = "{instance_id}"
	request.NamespaceName = "{namespace_name}"
	request.PolicyId = int32({policy_id})
	var listScopeSelectorsScopeSelectors = []model.SignRuleSelector{
        {
            Kind: "doublestar",
            Decoration: "repoMatches",
            Pattern: "**",
        },
    }
	var listScopeSelectorsScopeRules = map[string][](model.SignRuleSelector){
        "repository": listScopeSelectorsScopeSelectors,
    }
	extrasTagSelectors:= "{"untagged":true}"
	var listTagSelectorsScopeRules = []model.SignRuleSelector{
        {
            Kind: "doublestar",
            Decoration: "matches",
            Pattern: "**",
            Extras: &extrasTagSelectors,
        },
    }
	var listScopeRulesbody = []model.SignScopeRule{
        {
            TagSelectors: listTagSelectorsScopeRules,
            ScopeSelectors: listScopeSelectorsScopeRules,
            RepoScopeMode: "regular",
        },
    }
	cronTriggerSettings:= ""
	triggerSettingsTrigger := &model.TriggerSetting{
		Cron: &cronTriggerSettings,
	}
	triggerbody := &model.TriggerConfig{
		Type: "manual",
		TriggerSettings: triggerSettingsTrigger,
	}
	request.Body = &model.UpdateSignaturePolicyRequestBody{
		ScopeRules: listScopeRulesbody,
		Trigger: triggerbody,
		SignatureKey: "668985d5-919d-4c51-9293-eb846c78cbf0",
		SignatureAlgorithm: model.GetUpdateSignaturePolicyRequestBodySignatureAlgorithmEnum().ECDSA_SHA_384,
		SignatureMethod: model.GetUpdateSignaturePolicyRequestBodySignatureMethodEnum().KMS,
		Enabled: true,
		Name: "test11",
	}
	response, err := client.UpdateInstanceSignPolicy(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

        

      

    
   

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code	Description
200	The image signing policy is updated successfully.
400	Request error.
401	Authentication failed.
403	Access denied.
404	Resource not found.
500	Internal error.

Error Codes

See Error Codes.

Parent topic: Image Signing Management

Previous topic: Querying Details About an Image Signing Policy

Next topic: Deleting an Image Signing Policy

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot