Use RAM to grant permissions to access custom OSS buckets - Container Registry

To use a custom Object Storage Service (OSS) bucket, you must create a RAM role for your account and grant the RAM role the permissions to manage the OSS bucket. Then, Container Registry can access the OSS bucket.

Step 1: Create a RAM role

If Container Registry needs to access a custom OSS bucket, you must create a role named AliyunContainerRegistryCustomizedOSSBucketRole for the Alibaba Cloud account.

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, click RAM Roles.
On the RAM Roles page, click Create RAM Role.
In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
Specify the RAM Role Name and Note parameters.
Select Current Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account field and click OK.

Note If you select Other Alibaba Cloud Account, you must enter the ID of the Alibaba Cloud account.

Step 2: Attach a policy to the RAM role

Attach the AliyunContainerRegistryCustomizedOSSBucketRolePolicy policy to the RAM role. This policy grants the RAM role the permissions to read information about Container Registry repositories from a specific OSS bucket. To obtain information from multiple custom OSS buckets, you can specify multiple OSS buckets for the Resource parameter.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:ListParts",
                "oss:AbortMultipartUpload",
                "oss:InitiateMultipartUpload",
                "oss:CompleteMultipartUpload",
                "oss:DeleteMultipleObjects",
                "oss:ListMultipartUploads",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:cri-*",
                "acs:oss:*:*:cri-*/*",
                "acs:oss:*:*:<your_bucket_name>",  #Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions.
                "acs:oss:*:*:<your_bucket_name>/*" #Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions.
            ],
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Action": [
                "oss:PutBucket",
                "oss:GetBucket",
                "oss:GetBucketLocation",
                "oss:PutBucketEncryption",
                "oss:GetBucketEncryption",
                "oss:PutBucketAcl",
                "oss:GetBucketAcl",
                "oss:PutBucketLogging",
                "oss:GetBucketReferer",
                "oss:PutBucketReferer",
                "oss:GetBucketLogging"
            ],
            "Resource": [
                "acs:oss:*:*:cri-*",
                "acs:oss:*:*:cri-*/*",
                "acs:oss:*:*:<your_bucket_name>",  #Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions.
                "acs:oss:*:*:<your_bucket_name>/*" #Replace <your_bucket_name> with the name of an OSS bucket on which you want to grant permissions.
            ],
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Effect": "Allow",
            "Action": "oss:ListBuckets",
            "Resource": [
                "acs:oss:*:*:*",
                "acs:oss:*:*:*/*"
            ],
            "Condition": {

            }
        },
        {
            "Action": [
                "vpc:DescribeVpcs"
            ],
            "Resource": "acs:vpc:*:*:vpc/*",
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Action": [
                "cms:QueryMetricLast",
                "cms:QueryMetricList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Step 3: Configure the trust policy for the RAM role

Add Container Registry to the trust policy of the RAM role so that Container Registry can access the custom OSS bucket.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service":
                "cr.aliyuncs.com"
            }
        }
    ],
    "Version": "1"
}