Alicloud Container Registry Terraform Module

- 5 mins read

A Terraform module to create a private Container Registry namespace and a RAM role able to pull/push from the namespace created. Alicloud Terraform Module.

NOTE: This module uses AccessKey and SecretKey from profile and shared_credentials_file. If you have not set them yet, please install aliyun-cli and configure it. - - - - - -

Architecture Diagram

terraform-alicloud-cr diagram
terraform-alicloud-cr diagram

After using this module, the following resources will be created:


provider "alicloud" {}

module "cr" {
  source    = "roura356a/cr/alicloud"
  version   = "1.3.0"
  namespace = "cr_repo_namespace"

After running terraform apply, a file called cr-{namespace}-ak.json will be generated with the AccessKey & SecretKey needed to query the GetAuthorizationToken API for cr and be able to push/pull to/from the repositories inside the namespace created.


regionThe region used to launch this module resourcesstring“”no
profileThe profile name as set in the shared credentials file. If not set, it will be sourced from the ALICLOUD_PROFILE environment variablestring“default”no
shared_credentials_fileThis is the path to the shared credentials file. If this is not set and a profile is specified, $HOME/.aliyun/config.json will be usedstring“”no
skip_region_validationSkip static validation of region ID. Used by users of alternative AlibabaCloud-like APIs or users w/ access to regions that are not public (yet)boolfalseno
namespaceName of Container Registry namespacestringyes
repositoriesList of optional repositories to be created on applylist(string)[“default”]no
repo_autocreateBoolean, when it set to true, repositories are automatically created when pushing new images. If it set to false, you create repository for images before pushingbooltrueno

You can create repositories by populating the repositories variable with a list of strings.


cr_namespaceThe CR Namespace’s ID
cr_access_keyThe CR Namespace’s Access Key
cr_userThe CR Namespace’s User
cr_endpointPublic endpoint of the registry
ram_userThe RAM User
ram_policy_nameThe RAM policy name
repository_idsList of repository IDs created
ram_console_usernameConsole login username
disposable_passwordPassword to activate the console login profile, forces to reset it
access_key_statusStatus of the created AccessKey
ram_policy_typeThe RAM policy type
ram_policy_attachmentThe RAM policy attachment ID

Docker Login

In order to activate the newly created RAM user on the Registry, only for the first time and due to a security measure by Alibaba Cloud (this may change in the future), you need to navigate to the Container Registry Console using the newly created RAM user (with the one-time password outputted on terraform apply as disposable_password) and follow the on-screen instructions to activate the account. After that, with the cr-{namespace}-ak.json file credentials, you can get, by using the aliyun-cli SDK, a temporary secure login credentials by running aliyun cr GetAuthorizationToken.

Terraform version

Terraform version 0.12.0+ is required for this module to work.


Created and maintained by Alberto Roura (@rouralberto, Feel free to contribute.



This Terrafom module uses terratest to test the IaC resources created. To test, go into the test folder, run go mod init cr, go mod tidy and then go test.


Apache 2 Licensed. See LICENSE for full details.

Share: Link copied to clipboard


Previous: Build your own serverless ECS Instance monitor
Next: Escapando De La Anglofonía: Volviendo a La Iberofonía

Where: Home > Technical > Alicloud Container Registry Terraform Module