Before you use a custom domain name, create a RAM role for your Alibaba Cloud account and grant the RAM role permissions to access SSL certificates. Then, Container Registry can access SSL certificates. This topic describes how to grant permissions to a RAM role before you use a custom domain name.

Step 1: Create a RAM role

Before you use a custom domain name to access a Container Registry instance, create a role named AliyunContainerRegistryCustomizedDomainRole for your Alibaba Cloud account.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. Set the RAM Role Name parameter to AliyunContainerRegistryCustomizedDomainRole and set the Note parameter as needed. Select Current Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter. Then, click OK.
    Note If you select Other Alibaba Cloud Account, enter the ID of another Alibaba Cloud account.

Step 2: Attach a policy to the RAM role

Attach the AliyunYundunCertReadOnlyAccess policy to the RAM role. This policy grants the RAM role the read permissions on SSL certificates.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, find the RAM role in the RAM Role Name column.
  4. In the Actions column, click Add Permissions. In the Add Permissions pane, the Principal field is automatically provided.
  5. In the Authorization Policy Name column, click AliyunYundunCertReadOnlyAccess.
    Note In the Selected section, you can click the cross sign (×) next to a policy to remove the policy.
  6. Click OK.
  7. Click Complete.

Step 3: Configure the trust policy for the RAM role

Add Container Registry to the trust policy of the RAM role so that Container Registry can access SSL certificates.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click the name of the RAM role in the RAM Role Name column.
  4. On the page that appears, click the Trust Policy Management tab.
  5. On the Trust Policy Management tab, click Edit Trust Policy.
  6. In the Edit Trust Policy panel, copy the following content to the code editor and click OK.
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "cr.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }