IBM Cloud Docs
IAM access policies are required for Container Registry from 5 July 2022

IAM access policies are required for Container Registry from 5 July 2022

From 5 July 2022, to access IBM Cloud® Container Registry you must be using Cloud Identity and Access Management (IAM) access policies.

If you started to use Container Registry before the availability of IAM API key policies in Container Registry in February 2019, you must ensure that you are using IAM access policies to manage access to the IBM Cloud Container Registry service.

Policy-free authorization is being discontinued in the following Container Registry regions:

  • us-south (us.icr.io)
  • uk-south (uk.icr.io)
  • eu-central (de.icr.io)
  • ap-south (au.icr.io)
  • ap-north (jp.icr.io)

Other regions are unaffected because they already require IAM access policies for all accounts.

What are the changes?

Before 7 June 2019, all account users had full access to the images and settings that are associated with the account. Accounts that use Container Registry for the first time since 7 June 2019 are required to have IAM access policies and other accounts optionally require them. From 5 July 2022, all accounts require IAM access policies.

By default, account owners already have appropriate policies that give them full access to Container Registry. If policy-free authorization is in use, any other account user IDs and service IDs must be granted appropriate policies so that they can continue to access images and settings.

Check whether these changes affect you

To check whether policy-free authorization is in effect, run the ibmcloud cr iam-policies-status command. If the CLI reports that IAM policy enforcement is disabled, you must prepare for the changes.

The policy status setting is specific to each Container Registry region. Check every region in which you have Container Registry namespaces by running the ibmcloud cr region-set command.

Prepare for the changes

If the changes affect you, you must create IAM access policies that apply to each service ID and user ID that accesses images in your Container Registry namespaces, or accesses Container Registry settings that are associated with your account and region.

  1. Identify each service ID and user ID that accesses your Container Registry images and settings. You can use IBM Cloud Activity Tracker to help find this information.

  2. For each access that is identified in the previous step, create an IAM access policy that allows the correct access. You can also use access groups to apply policies to IDs.

  3. (Optional) If you want to upgrade the account to use IAM access policy authorization at a more convenient time, rather than on the date of the change, run the ibmcloud cr iam-policies-enable command.

    This change cannot be reversed.

    This change applies to the currently targeted region only. Remember to check all regions where you have Container Registry namespaces.

What if I did not implement the changes in time?

To recover any access that is lost, follow the steps in Prepare for the changes.