This topic describes how to configure RAM access control when using a custom OSS bucket with Container Registry.
Background
-
Default OSS bucket
When you use the default OSS bucket provided by Container Registry, you must authorize Container Registry to access cloud resources. Container Registry then creates an OSS bucket and initializes the instance.
-
Custom OSS bucket
When you use a custom OSS bucket, you must create a RAM role for your Alibaba Cloud account and grant this role the necessary permissions to access the bucket. This allows Container Registry to access the bucket.
Step 1: Create a RAM role
To allow Container Registry to access a custom OSS bucket, create a RAM role named AliyunContainerRegistryCustomizedOSSBucketRole for your Alibaba Cloud account.
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose .
-
On the Roles page, click Create Role.
-
On the Create Role page, select Cloud Service as the Principal Type. Then, select Container Registry and click Confirm.
-
In the Role Name field, enter
AliyunContainerRegistryCustomizedOSSBucketRoleand then click Confirm.
Step 2: Configure the access policy
Configure an access policy for the RAM role to grant it access to resources in the specified OSS bucket. The access policy must be named AliyunContainerRegistryCustomizedOSSBucketRolePolicy. If you need to access multiple custom OSS buckets, you can add multiple bucket entries to the Resource section.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:ListParts",
"oss:AbortMultipartUpload",
"oss:InitiateMultipartUpload",
"oss:CompleteMultipartUpload",
"oss:DeleteMultipleObjects",
"oss:ListMultipartUploads",
"oss:ListObjects",
"oss:DeleteObjectVersion",
"oss:GetObjectVersion",
"oss:ListObjectVersions",
"oss:PutObjectTagging",
"oss:GetObjectTagging",
"oss:DeleteObjectTagging"
],
"Resource": [
"acs:oss:*:*:cri-*",
"acs:oss:*:*:cri-*/*",
"acs:oss:*:*:<YOUR_BUCKET_NAME>", # Replace <YOUR_BUCKET_NAME> with your bucket name.
"acs:oss:*:*:<YOUR_BUCKET_NAME>/*" # Replace <YOUR_BUCKET_NAME> with your bucket name.
],
"Effect": "Allow",
"Condition": {
}
},
{
"Action": [
"oss:PutBucket",
"oss:GetBucket",
"oss:GetBucketLocation",
"oss:PutBucketEncryption",
"oss:GetBucketEncryption",
"oss:PutBucketAcl",
"oss:GetBucketAcl",
"oss:PutBucketLogging",
"oss:GetBucketReferer",
"oss:PutBucketReferer",
"oss:GetBucketLogging",
"oss:PutBucketVersioning",
"oss:GetBucketVersioning",
"oss:GetBucketLifecycle",
"oss:PutBucketLifecycle",
"oss:DeleteBucketLifecycle",
"oss:GetBucketTransferAcceleration"
],
"Resource": [
"acs:oss:*:*:cri-*",
"acs:oss:*:*:cri-*/*",
"acs:oss:*:*:<YOUR_BUCKET_NAME>", # Replace <YOUR_BUCKET_NAME> with your bucket name.
"acs:oss:*:*:<YOUR_BUCKET_NAME>/*" # Replace <YOUR_BUCKET_NAME> with your bucket name.
],
"Effect": "Allow",
"Condition": {
}
},
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": [
"acs:oss:*:*:*",
"acs:oss:*:*:*/*"
],
"Condition": {
}
},
{
"Action": [
"vpc:DescribeVpcs"
],
"Resource": "acs:vpc:*:*:vpc/*",
"Effect": "Allow",
"Condition": {
}
},
{
"Action": [
"cms:QueryMetricLast",
"cms:QueryMetricList"
],
"Resource": "*",
"Effect": "Allow"
}
]
}