To use a custom OSS bucket, you must add a RAM role to your account and grant the RAM role the permission to operate the OSS buckets. Then the container registry can access the OSS buckets.
Step 1: Create a RAM role
When the container registry accesses a custom OSS bucket, the role created for the
Alibaba Cloud account is AliyunContainerRegistryCustomizedOSSBucketRole
.
Step 2: configure the policy of the RAM role
Configure the policy for the RAM role to grant it the permission to read the container
image repository information from the specified OSS bucket resources. The policy name
of the RAM role is AliyunContainerRegistryCustomizedOSSBucketRolePolicy
. To obtain information about multiple custom OSS buckets, you can add multiple OSS
bucket values to the Resource.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:ListParts",
"oss:AbortMultipartUpload",
"oss:InitiateMultipartUpload",
"oss:CompleteMultipartUpload",
"oss:DeleteMultipleObjects",
"oss:ListMultipartUploads",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:<your_bucket_name>",
"acs:oss:*:*:<your_bucket_name>/*"
],
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"oss:PutBucket",
"oss:GetBucket",
"oss:DeleteBucket",
"oss:GetBucketLocation",
"oss:PutBucketAcl",
"oss:GetBucketAcl",
"oss:PutBucketLogging",
"oss:GetBucketReferer",
"oss:PutBucketReferer",
"oss:GetBucketLogging",
"oss:DeleteBucketLogging"
],
"Resource": [
"acs:oss:*:*:<your_bucket_name>",
"acs:oss:*:*:<your_bucket_name>/*"
],
"Condition": {}
},
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": [
"acs:oss:*:*:*",
"acs:oss:*:*:*/*"
],
"Condition": {}
},
{
"Action": [
"cms:QueryMetricLast",
"cms:QueryMetricList"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Step 3: configure trust policies for the RAM role
Add the container registry to the trust policies of the RAM role so that container registry can access the custom OSS buckets.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"cr.aliyuncs.com"
]
}
}
],
"Version": "1"
}