Configure a RAM role to manage SSL certificates for a custom domain name - Container Registry

To use a custom domain name with a Container Registry instance, you must grant Container Registry access to your SSL certificates. Container Registry accesses SSL certificates by assuming a RAM role. To enable this, you create the role, attach a certificate read policy to it, and configure a trust policy that authorizes Container Registry to assume the role on your behalf.

Prerequisites

Before you begin, make sure that you have:

A Container Registry instance
An SSL certificate in Certificate Management Service
A RAM user with administrative permissions on RAM

Step 1: Create a RAM role

Create a role named AliyunContainerRegistryCustomizedDomainRole in your Alibaba Cloud account. Container Registry assumes this role to access SSL certificates.

Log on to the RAM console as a RAM user with administrative permissions.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Principal Type to Cloud Account, specify the trusted account, and click OK.
- Current Account: Select this option if a RAM user or RAM role in your own Alibaba Cloud account will assume the role.
- Other Account: Select this option to grant access to a RAM user or RAM role in a different Alibaba Cloud account. Enter the target account ID, which you can find on the Security Settings page. For details, see Use a RAM role to grant permissions across Alibaba Cloud accountsYou can view the ID of your Alibaba Cloud account on the Security Settings page..
Set RAM Role Name to AliyunContainerRegistryCustomizedDomainRole. For Select Trusted Alibaba Cloud Account, select Current Account. Add any notes as needed, then click OK.

If you selected Other Account in the previous step, enter the ID of that Alibaba Cloud account.

Step 2: Attach a policy to the RAM role

Attach the AliyunYundunCertReadOnlyAccess policy to the role. This policy grants read-only access to SSL certificates.

Log on to the RAM console as a RAM user with administrative permissions.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find AliyunContainerRegistryCustomizedDomainRole and click Grant Permission in the Actions column.
In the Grant Permission panel, set Resource Scope to Account. In the Policy search box, enter AliyunYundunCertReadOnlyAccess and select the policy from the results.

To remove a policy from your selection, click the × next to the policy name in the Selected section on the right.
Click Grant permissions.
Click Close.

Step 3: Configure a trust policy for the RAM role

Update the trust policy to authorize cr.aliyuncs.com — the Container Registry service principal — to assume the role. This is what allows Container Registry to read SSL certificates on your behalf.

Log on to the RAM console as a RAM user with administrative permissions.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click AliyunContainerRegistryCustomizedDomainRole in the Role Name column.
On the Trust Policy tab, click Edit Trust Policy.

Replace the existing content with the following policy and click OK. The "Service": ["cr.aliyuncs.com"] field identifies Container Registry as the trusted principal that can assume this role.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

What's next

After completing these steps, configure your custom domain name in the Container Registry console. The instance uses the RAM role you configured to access your SSL certificate automatically.