To use a custom OSS bucket, you must add a RAM role to your account and grant the RAM role the permission to operate the OSS buckets. Then the container registry can access the OSS buckets.

Step 1: Create a RAM role

When the container registry accesses a custom OSS bucket, the role created for the Alibaba Cloud account is AliyunContainerRegistryCustomizedOSSBucketRole.

  1. Log on to the RAM console
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role.
  4. Select Alibaba Cloud Account as the trusted entity type, and then click Next.
  5. Specify the RAM Role Name and Note parameters.
  6. Select an Alibaba Cloud account, and then click OK.
    Note If you select Other Alibaba Cloud Account, you must enter the account ID.

Step 2: configure the policy of the RAM role

Configure the policy for the RAM role to grant it the permission to read the container image repository information from the specified OSS bucket resources. The policy name of the RAM role is AliyunContainerRegistryCustomizedOSSBucketRolePolicy. To obtain information about multiple custom OSS buckets, you can add multiple OSS bucket values to the Resource. 

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:ListParts",
                "oss:AbortMultipartUpload",
                "oss:InitiateMultipartUpload",
                "oss:CompleteMultipartUpload",
                "oss:DeleteMultipleObjects",
                "oss:ListMultipartUploads",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:<your_bucket_name>",
                "acs:oss:*:*:<your_bucket_name>/*"
            ],
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:PutBucket",
                "oss:GetBucket",
                "oss:DeleteBucket",
                "oss:GetBucketLocation",
                "oss:PutBucketAcl",
                "oss:GetBucketAcl",
                "oss:PutBucketLogging",
                "oss:GetBucketReferer",
                "oss:PutBucketReferer",
                "oss:GetBucketLogging",
                "oss:DeleteBucketLogging"
            ],
            "Resource": [
                "acs:oss:*:*:<your_bucket_name>",
                "acs:oss:*:*:<your_bucket_name>/*"
            ],
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "oss:ListBuckets",
            "Resource": [
                "acs:oss:*:*:*",
                "acs:oss:*:*:*/*"
            ],
            "Condition": {}
        },
        {
            "Action": [
                "cms:QueryMetricLast",
                "cms:QueryMetricList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Step 3: configure trust policies for the RAM role

Add the container registry to the trust policies of the RAM role so that container registry can access the custom OSS buckets. 

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}