Before you use a custom domain name, create a RAM role for your Alibaba Cloud account, and grant the RAM role permissions to access SSL certificates. This enables Container Registry to access SSL certificates. This topic describes how to grant permissions to a RAM role before you use a custom domain name.

Step 1: Create a RAM role

Before you use a custom domain name to access a Container Registry instance, create a role named AliyunContainerRegistryCustomizedDomainRole for your Alibaba Cloud account.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, select Alibaba Cloud Account for the Trusted Entity Type parameter, and then click Next.
  5. Specify RAM Role Name as AliyunContainerRegistryCustomizedDomainRole and add a note based on your needs. In the Select Trusted Alibaba Cloud Account field, select Current Alibaba Cloud Account. Then, click OK.
    Note If you select Other Alibaba Cloud Account, enter the ID of an Alibaba Cloud account.

Step 2: Configure a RAM policy for the RAM role

Configure a RAM policy for the RAM role. In this case, you can grant the RAM role read permissions on SSL certificates.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, find the RAM role in the RAM Role Name column.
  4. In the Actions column, click Add Permissions. In the Add Permissions pane, the Principal field is automatically provided.
  5. In the Authorization Policy Name column, click AliyunYundunCertReadOnlyAccess.
    Note In the Selected section, you can click the cross sign (×) next to a policy to remove the policy.
  6. Click OK.
  7. Click Complete.

Step 3: Configure the trust policy for the RAM role

Add Container Registry to the trust policy of the RAM role. This enables Container Registry to access SSL certificates.

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click the name of the RAM role in the RAM Role Name column.
  4. On the page that appears, click the Trust Policy Management tab.
  5. On the Trust Policy Management tab, click Edit Trust Policy.
  6. In the Edit Trust Policy pane, add the following content to the trust policy and click OK.
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "cr.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }