Pull Alibaba Cloud images across accounts by assuming a RAM role - Serverless App Engine

Serverless App Engine (SAE) allows you to pull Alibaba Cloud images across accounts by assuming a Resource Access Management (RAM) role. For example, User A can assume a RAM role that has the required permissions to pull the private images of User B. This topic describes how to pull Alibaba Cloud images across accounts.

Step 1: Create a RAM role

Use the Alibaba Cloud account of User B to create a RAM role. Set the role type of the RAM role to Alibaba Cloud Account and specify the Alibaba Cloud account of User A as a trusted Alibaba Cloud account.

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.
In the Configure Role step, configure the RAM Role Name and Note parameters, select Other Alibaba Cloud Account, enter the Alibaba Cloud account ID of User A, and then click OK.
Note
If you want a specific RAM user instead of all RAM users that belong to your Alibaba Cloud account to assume the RAM role, you can use one of the following methods:
Modify the trust policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
Modify the role-assuming policy that is attached to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?
Click Close.

Step 2: Grant permissions to the RAM role

Configure a permission policy for the RAM role that you created in Step 1 to pull the private images of User B. In this example, image-related permissions are added to an existing policy. For information about how to create a policy, see Create custom policies.

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, find the policy that you want to manage and click its name.
On the Policy Document tab, click Modify Policy Document.

On the Visual editor or JSON tab, modify the document of the policy and click Next to edit policy information.

Important

Make sure that the RAM role has the permissions that are related to Container Registry.

The following script shows the required permissions:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetAuthorizationToken",
                "cr:ListInstanceEndpoint",
                "cr:PullRepository",
                "cr:GetRepository",
                "cr:ListRepositoryTag"
            ],
            "Resource": "*"
        }
    ]
}

Change the value of Note and click OK.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the RAM role to which you want to grant permissions and click Grant Permission in the Actions column.
You can also select multiple RAM roles and click Grant Permission below the RAM role list to grant permissions to multiple RAM roles at a time.
In the Grant Permission panel, grant permissions to the RAM role based on your business requirements, click OK, and then click Complete.

Step 3: Configure the trust policy of the RAM role

Configure the trust policy of the RAM role that you created for User B to allow the SAE service account of User A to assume the RAM role.

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click the name of the RAM role that you created.

On the Trust Policy tab, click Edit Trust Policy. Change the RAM field in the Principal element to the Service field and click Save trust policy document.

Sample code:

Before the change

After the change

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::123456789012****:root"
                ]
            }
        }
    ],
    "Version": "1"
}

The preceding policy indicates that the RAM role can be assumed by all RAM users and RAM roles of the Alibaba Cloud account whose ID is 123456789012****.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "123456789012****@sae.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

The preceding policy indicates that the RAM role can be assumed by the SAE service account whose ID is 123456789012****@sae.aliyuncs.com. The service account belongs to the Alibaba Cloud account whose ID is 123456789012****.

Note

In this example, a service specified by the Service field is used to pull images across accounts.

Step 4: Deploy an SAE application

Log on to the RAM console and copy the ARN of the RAM role on the Basic Information page. When you create or deploy an application, use an image that is pulled from another Alibaba Cloud account and configure the acrAssumeRoleArn parameter. In the Configure Image section, click the Private images of Other Alibaba Cloud Account tab. In the acrAssumeRoleArn field, enter the ARN of the RAM role that you created. For more information, see the following topics: