Container Registry access control (IAM)
Access to the container registry is controlled through Thalassa Cloud IAM and access credential scopes. Registry operations require both API-level permissions (for namespace and repository management) and registry-level push/pull permissions (for image upload and download).
IAM resources
The registry uses four IAM resources:
| Resource | IAM name |
|---|---|
| Namespace (list/create) | container_registry |
| Namespace (read/update/delete) | container_registry_namespace |
| Namespace configuration | container_registry_namespace_configuration |
| Repository | container_registry_repository |
Built-in policies
| Policy name | Slug | Permissions | Typical use |
|---|---|---|---|
registry:ReadAccess | registry-read-access | read, list, pull | View namespaces and pull images |
registry:developer | registry-developer | read, list, push, pull on namespaces and repositories | CI/CD push and pull |
registry:viewer | registry-viewer | read, list, pull | Read-only browsing and pull |
registry:admin | registry-admin | Full CRUD + push/pull | Full namespace and repository management |
registry:FullAccess | registry-full-admin-access | Full CRUD + push/pull | Same as admin |
registry:FullAccessis currently stored asregistry:FullAdminAccess; slugregistry-full-admin-accessis unchanged.
See Container Registry default policies for slug and binding details.
The built-in admin:all policy grants full registry access implicitly.
Registry-specific permissions
In addition to standard create, read, update, delete, and list:
| Permission | Meaning |
|---|---|
push | Upload images to namespaces you can access |
pull | Download images from namespaces you can access |
IaaS policy inclusion
Registry access is also included in broader IaaS policies for teams that manage compute and registry together:
| Policy | Registry access |
|---|---|
iaas:admin | Full CRUD + push/pull |
iaas:devops | Full CRUD + push/pull |
iaas:auditor | read, list, pull |
iaas:ReadAccess and iaas:FullAccess do not include container registry permissions.
Access credential scopes
For docker login and OCI client authentication, access credentials must include one of:
| Scope | Access |
|---|---|
containerRegistry | Push and pull |
containerRegistry:all | Push and pull |
containerRegistry:pull | Pull only |
User sessions and IAM policies can also grant push and pull permissions on registry resources. See CI/CD guide for pipeline credential patterns.
Recommended policy assignment
| Persona | Policy | Rationale |
|---|---|---|
| Registry administrators | registry:FullAccess or registry:admin | Create namespaces, configure retention, manage repositories |
| CI/CD build pipelines | registry:developer or custom role with push/pull | Push built images |
| Deploy pipelines / runtime | registry:ReadAccess or pull-only credential | Pull images without push access |
| Auditors | registry:viewer or registry:ReadAccess | Browse metadata and pull for verification |
Follow least privilege: use pull-only credentials for deploy pipelines and Kubernetes imagePullSecrets.
Project scoping
Namespaces can be organisation-scoped or project-scoped:
- Organisation-scoped namespaces — Managed without a project context; visible when no project is selected
- Project-scoped namespaces — Created and listed only within an active project context
IAM policy bindings can be attached at organisation or project level. A principal with project-level access on project A cannot access project B’s namespaces. See IAM policies and Projects for project-scoped access control.
Service accounts
Use service accounts with access credentials for CI/CD and Kubernetes automation. Create dedicated credentials with the minimum scope required — pull-only for deploy, push+pull for build.
See Service accounts and Workload Identity Federation for OIDC-based CI/CD authentication.
Related documentation
- CI/CD guide — Access credential scopes for pipelines
- Kubernetes guide —
imagePullSecretsand runtime pull access - Default IAM policies — Full policy catalogue