To push and pull container images, you must first log in to the instance using the credential information by executing the docker login command and entering the username and password in the Docker client. This username and password are only used for logging in and authentication of this instance and cannot be used in other scenarios. This document describes how to manage user-level accounts associated with Tencent Cloud accounts in TCR Enterprise Edition instances.
After purchasing a TCR Enterprise Edition instance, if you want multiple sub-accounts to manage and use it simultaneously, such as pushing/pulling images, the account administrator can first configure permissions for each sub-account (see TCR Enterprise Authorization Management for details). After logging in to the product console, sub-accounts can generate user-level accounts, which are Docker Registry access credentials associated with their identity (the username of the access credential is the same as the Tencent Cloud sub-account ID). These credentials can be used to log in to the repository and push/pull images. When using a user-level account associated with a sub-account to operate images, read and write actions will be recorded and traceable to the account holder, which can be used for internal audits.
When creating a user-level account, you can choose to create a temporary access credential or generate a long-term access credential. It is recommended to use temporary access credentials for daily temporary image push/pull operations to avoid data security risks caused by credential leaks.
Long-term access credential: A long-term access credential is permanently valid, and can be disabled or deleted. You can use the long-term access credential in scenarios such as early-stage testing, continuous integration and continuous deployment (CI/CD), and image pull in a container cluster.
Note
Please keep the access credential properly after it is generated. If it is lost, disable or delete it promptly.
Temporary login token: A temporary login token is valid for 1 hour and cannot be disabled or terminated. You can use the temporary login token in scenarios such as one-time external authorization, or in a production cluster with high security requirements by regular refreshing.
Preparations
Before obtaining an access credential for a TCR Enterprise Edition instance, you must complete the following preparations.
To obtain the access credential through an API, you must obtain the API key that is required for calling v3.0 APIs.
Instructions
Obtaining a long-term access credential
1. Log in to the TCR console and choose Access credential > User accounts in the left sidebar.
2. On the User accounts page, select a region and an instance, and click Create.
3. On the Create access credential page, perform the following steps:
3.1 In the Create access credential step, enter a description for the credential's purpose and click Next.
3.2 In the Save access credential step, click Save access credential to download the credential information. Please keep the access credential safe, as you only have one chance to save it.
4. You can view, disable, or delete a created access credential on the Access Credential tab.
Obtaining a temporary login token
1. Log in to the TCR console and choose Access credential > User accounts in the left sidebar.
2. On the User accounts page, select a region and an instance. Click Generate Temp Login Token.
3. On the Temp login token page, click Copy login token to obtain a temporary access credential.
Creating via API
You can also use the CreateInstanceToken interface to create instance access credentials. For more information, please refer to Create Instance Access Credential.
A long-term access credential will be created automatically in some scenarios:
1. When you install the TCR add-on in a TKE cluster, a long-term access credential is automatically created for the selected instance. This credential will not be automatically terminated when the add-on is deleted. If you do not want to use it any more, you need to manually delete it.
2. When you use an image to build or deliver the pipeline feature, a dedicated access credential will be auto-created and provided to CODING DevOps service to push the auto-built images. Do not delete the access credential directly, otherwise, it will cause the failure of existing image building configuration.
