All Products
Search
Document Center

Container Registry:Grant permissions to a RAM role that is used to access custom OSS buckets

Last Updated:Jan 23, 2024

To use a custom Object Storage Service (OSS) bucket, you must create a RAM role for your Alibaba Cloud account and grant the RAM role the permissions to manage the OSS bucket. Then, Container Registry can access the OSS bucket. This topic describes how to grant permissions to a RAM role that is used to access custom OSS buckets.

Step 1: Create a RAM role

If Container Registry needs to access a custom OSS bucket, you must create a role named AliyunContainerRegistryCustomizedOSSBucketRole for the Alibaba Cloud account.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.

  5. Configure parameters for the RAM role.

    1. Specify RAM Role Name.

    2. Specify Note.

    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account.

      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.

      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.

      Important
  6. Click OK.

  7. Click Close.

Step 2: Attach a policy to the RAM role

Attach the AliyunContainerRegistryCustomizedOSSBucketRolePolicy policy to the RAM role. This policy grants the RAM role the permissions to read information about Container Registry repositories from a specific OSS bucket. To obtain information from multiple custom OSS buckets, you can specify multiple OSS buckets for the Resource parameter.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:ListParts",
                "oss:AbortMultipartUpload",
                "oss:InitiateMultipartUpload",
                "oss:CompleteMultipartUpload",
                "oss:DeleteMultipleObjects",
                "oss:ListMultipartUploads",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:cri-*",
                "acs:oss:*:*:cri-*/*",
                "acs:oss:*:*:<your_bucket_name>",  # Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions. 
                "acs:oss:*:*:<your_bucket_name>/*" # Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions. 
            ],
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Action": [
                "oss:PutBucket",
                "oss:GetBucket",
                "oss:GetBucketLocation",
                "oss:PutBucketEncryption",
                "oss:GetBucketEncryption",
                "oss:PutBucketAcl",
                "oss:GetBucketAcl",
                "oss:PutBucketLogging",
                "oss:GetBucketReferer",
                "oss:PutBucketReferer",
                "oss:GetBucketLogging"
            ],
            "Resource": [
                "acs:oss:*:*:cri-*",
                "acs:oss:*:*:cri-*/*",
                "acs:oss:*:*:<your_bucket_name>",  # Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions. 
                "acs:oss:*:*:<your_bucket_name>/*" # Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions. 
            ],
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Effect": "Allow",
            "Action": "oss:ListBuckets",
            "Resource": [
                "acs:oss:*:*:*",
                "acs:oss:*:*:*/*"
            ],
            "Condition": {

            }
        },
        {
            "Action": [
                "vpc:DescribeVpcs"
            ],
            "Resource": "acs:vpc:*:*:vpc/*",
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Action": [
                "cms:QueryMetricLast",
                "cms:QueryMetricList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Step 3: Configure a trust policy for the RAM role

Add Container Registry to the trust policy of the RAM role. This way, Container Registry can access the custom OSS bucket.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}