Configure Robot Account

CCR

  • Enterprise Edition API Reference
    • Appendix
    • Common Headers and Error Code
    • Enterprise Edition Instance APIs
    • Helm Chart Management Interface
    • Image access control APIs
    • Image Access Credential APIs
    • Image API
    • Image Migration APIs
    • Image On-demand Loading APIs
    • Image Registry APIs
    • Image Synchronization APIs
    • Namespace APIs
    • Overview
    • Service domain
    • Trigger APIs
  • Enterprise Edition Go-SDK
    • Enterprise Edition Instance
    • Initialization
    • Install the SDK Package
    • Overview
  • Enterprise Edition Operation Guide
    • Access configuration
      • Configure Access credentials
      • Configure Custom Endpoint
      • Configure IAM Access Control
      • Configure IAM Tag Permission Policy
      • Configure Robot Account
      • Network Access Control
        • Configure public network access control
        • Configure virtual private cloud access control
        • Network Access Control Overview
    • Container DevOps
      • Manage Trigger
    • Create Enterprise Edition Instance
    • Distribution Management
      • Cross-Instance Synchronization of Image
      • On-Demand Loading of Container Image
      • Using P2P Acceleration in CCE Clusters
    • Event notification
      • Configure Event Notification Alert
      • Image Push Failure Error Code and Handling Methods
    • Image Build
      • Build Based on Existing Image
    • Image Cleanup
      • Clean BOS Storage Space
      • Delete image version
      • Version Retention
    • Image Migration
      • Migrate External Image to Enterprise Edition Instance
    • Image security
      • Immutable image version
      • Security Scanning Container Image
    • Manage Namespace
    • OCI Artifact Management
      • Manage Helm Chart
      • Manage Image Registry
      • OCI Artifact Management Overview
  • Function Release Records
  • Personal Edition API Reference
    • Helm API
    • Image API
    • Image Migration APIs
    • Image Version and Image Version Scanning Interface
    • Namespace APIs
    • Overview
    • User APIs
  • Personal Edition Documentation Set
    • Account Permission Management
    • Cloud Container Engine (CCE) migration to CCR
    • Container Image Service Basic Operations
    • How to Perform Image Scanning
    • How to Upload Helm Chart
    • How to use the DockerHub image accelerator
  • Product Announcement
    • CCR Enterprise Edition Pricing Announcement
    • CCR Enterprise Edition Public Beta Announcement
    • CCR Personal Edition Announcement on Closing New Entry
    • CCR Personal Edition Announcement on Disabling Image Scanning Function
  • Product introduction
    • Core concepts
    • Enterprise Edition Different Specifications Differentiation Description
    • Key functions
    • Product advantages
    • Product Introduction
  • Product pricing
    • Billing overview
  • Quick Start
    • Enterprise Edition Quick Start
    • How to Build Docker Image
  • Service Level Agreement (SLA)
    • CCR Enterprise Edition Service Level Agreement
All documents
menu
No results found, please re-enter

CCR

  • Enterprise Edition API Reference
    • Appendix
    • Common Headers and Error Code
    • Enterprise Edition Instance APIs
    • Helm Chart Management Interface
    • Image access control APIs
    • Image Access Credential APIs
    • Image API
    • Image Migration APIs
    • Image On-demand Loading APIs
    • Image Registry APIs
    • Image Synchronization APIs
    • Namespace APIs
    • Overview
    • Service domain
    • Trigger APIs
  • Enterprise Edition Go-SDK
    • Enterprise Edition Instance
    • Initialization
    • Install the SDK Package
    • Overview
  • Enterprise Edition Operation Guide
    • Access configuration
      • Configure Access credentials
      • Configure Custom Endpoint
      • Configure IAM Access Control
      • Configure IAM Tag Permission Policy
      • Configure Robot Account
      • Network Access Control
        • Configure public network access control
        • Configure virtual private cloud access control
        • Network Access Control Overview
    • Container DevOps
      • Manage Trigger
    • Create Enterprise Edition Instance
    • Distribution Management
      • Cross-Instance Synchronization of Image
      • On-Demand Loading of Container Image
      • Using P2P Acceleration in CCE Clusters
    • Event notification
      • Configure Event Notification Alert
      • Image Push Failure Error Code and Handling Methods
    • Image Build
      • Build Based on Existing Image
    • Image Cleanup
      • Clean BOS Storage Space
      • Delete image version
      • Version Retention
    • Image Migration
      • Migrate External Image to Enterprise Edition Instance
    • Image security
      • Immutable image version
      • Security Scanning Container Image
    • Manage Namespace
    • OCI Artifact Management
      • Manage Helm Chart
      • Manage Image Registry
      • OCI Artifact Management Overview
  • Function Release Records
  • Personal Edition API Reference
    • Helm API
    • Image API
    • Image Migration APIs
    • Image Version and Image Version Scanning Interface
    • Namespace APIs
    • Overview
    • User APIs
  • Personal Edition Documentation Set
    • Account Permission Management
    • Cloud Container Engine (CCE) migration to CCR
    • Container Image Service Basic Operations
    • How to Perform Image Scanning
    • How to Upload Helm Chart
    • How to use the DockerHub image accelerator
  • Product Announcement
    • CCR Enterprise Edition Pricing Announcement
    • CCR Enterprise Edition Public Beta Announcement
    • CCR Personal Edition Announcement on Closing New Entry
    • CCR Personal Edition Announcement on Disabling Image Scanning Function
  • Product introduction
    • Core concepts
    • Enterprise Edition Different Specifications Differentiation Description
    • Key functions
    • Product advantages
    • Product Introduction
  • Product pricing
    • Billing overview
  • Quick Start
    • Enterprise Edition Quick Start
    • How to Build Docker Image
  • Service Level Agreement (SLA)
    • CCR Enterprise Edition Service Level Agreement
  • Document center
  • arrow
  • CCR
  • arrow
  • Enterprise Edition Operation Guide
  • arrow
  • Access configuration
  • arrow
  • Configure Robot Account
Table of contents on this page
  • Overview
  • Note
  • Prerequisites
  • Operation steps
  • Create robot account
  • Manage robot account

Configure Robot Account

Updated at:2025-11-03

Overview

In the traditional identity-based (e.g., sub-account) permission systems, the availability of automated tasks (e.g., CI/CD image pull, pipeline deployment, etc.) heavily depends on the account status of the associated personnel. When personnel experience ‌resignation‌, ‌position transfer‌ or ‌permission change‌, sub-accounts may become invalid or permissions may be revoked, thus triggering task execution exception (e.g., image pull authentication failure and pipeline interruption), and affecting service continuity and stability.

Robot account is a dedicated credential ‌independent of human identity‌, ensuring the stability and security of automated processes. When a robot account is created in the CCR enterprise edition instance, the expiration time of access credential is optional. The access credentials of short validity periods are recommended for routine temporary pushing/pulling of images to avoid data security risks caused by credential disclosure.

Note

  • Once generated, secure the access credentials properly. If the credentials are lost, promptly disable or delete them.
  • If a robot account name contains the special character $, enclose the username in single quotes during login (e.g., -u 'ccr$test' -p testpw) to prevent login errors.
  • Robot accounts cannot verify the identities of actual users. Exercise caution when distributing files and rely on BCT for activity monitoring. For stricter accountability, use IAM primary accounts or IAM user accounts.

Prerequisites

  • Successfully Create enterprise edition instance.

Operation steps

Create robot account

  1. Sign in to Baidu AI Cloud Console and select Product Service > Container > Cloud Container Registry.
  2. Access the target instance, navigate to Instance Management, and select Robot Account.
  3. Click on the Create Robot Account button, and complete the necessary configurations in the pop-up window.
ConfigMap Configuration
Account name It must begin with a lowercase letter or number, and supports lowercase letters, numbers, and ._-, with a length limited to 1-65 characters.
Please note that the name will be automatically prefixed to mark it as a robot account. For example, if you enter test, the actual username will be: ccr$test.
Account password Automatic generation: After account creation, a key will be automatically generated and displayed only once. Please copy and retain it.
Manual input: omitted
Description Provide an account description, including support for Chinese characters.
Expiration time Choose "Never Expiring" or specify an expiration period in days, with a default set to 30 days.
Permission configuration Support selecting multiple namespaces and independently configuring permission type for each namespace; it is recommended to only select necessary namespaces in the principle of least privilege and prioritize read-only permission.
Image pushing is not supported in read-only mode.
  1. Save the username and password immediately after creation. These credentials are displayed only once and cannot be retrieved after the page is closed.

Manage robot account

  1. Access the target instance, navigate to Instance Management, and select Robot Account.
  2. You can search by name on the robot account page, and manage existing robot accounts, with the following operations supported:
  • Review the existing robot accounts.
  • Check the permission scope assigned to a specific robot account.
  • Modify the configurations of a specific robot account. Apart from the name, which cannot be changed, all other settings are adjustable.
  • Disable a specific robot account, with the option to re-enable it later. Once disabled, the account cannot perform image push or pull operations. Proceed cautiously.
  • Delete a robot account. This action is irreversible. Once deleted, the account can no longer be used for image push or pull operations. Proceed with caution.

Previous
Configure IAM Tag Permission Policy
Next
Network Access Control