Before you use a custom domain name, create a RAM role for your Alibaba Cloud account and grant the RAM role permissions to access Secure Sockets Layer (SSL) certificates. Then, Container Registry can access SSL certificates. This topic describes how to grant permissions to a RAM role before you use a custom domain name.

Step 1: Create a RAM role

Before you use a custom domain name to access a Container Registry instance, create a role named AliyunContainerRegistryCustomizedDomainRole for your Alibaba Cloud account.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role panel, select Alibaba Cloud Account for the Trusted entity type parameter and click Next.
  5. Set the RAM Role Name parameter to AliyunContainerRegistryCustomizedDomainRole and set the Note parameter as needed. Select Current Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter. Then, click OK.
    Note If you select Other Alibaba Cloud Account, enter the ID of another Alibaba Cloud account.

Step 2: Attach a policy to the RAM role

Attach the AliyunYundunCertReadOnlyAccess policy to the RAM role. This policy grants the RAM role the read permissions on SSL certificates.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, find AliyunContainerRegistryCustomizedDomainRole and click Add Permissions in the Actions column.
  4. In the Add Permissions pane, click System Policy and click AliyunYundunCertReadOnlyAccess in the Authorization Policy Name column.
    Note In the Selected section, you can click the cross sign ( ×) next to a policy to remove the policy.
  5. Click OK.
  6. Click Complete.

Step 3: Configure the trust policy for the RAM role

Add Container Registry to the trust policy of the RAM role so that Container Registry can access SSL certificates.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click AliyunContainerRegistryCustomizedDomainRole in the RAM Role Name column.
  4. On the details page of the RAM role, click the Trust Policy Management tab.
  5. On the Trust Policy Management tab, click Edit Trust Policy.
  6. In the Edit Trust Policy panel, copy the following content to the code editor and click OK.
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "cr.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }