All Products
Search
Document Center

Container Registry:Attach a policy to a RAM role to access custom OSS buckets

Last Updated:Jun 04, 2024

To allow Container Registry to access custom Object Storage Service (OSS) buckets, you must create a RAM role for the Alibaba Cloud account to which the Container Registry instance belongs and attach a permission policy to the RAM role. The policy grants the RAM role the permission to operate OSS buckets.

Step 1: Create a RAM role

If you want Container Registry to access custom OSS buckets, you must create a role named AliyunContainerRegistryCustomizedOSSBucketRole for the Alibaba Cloud account to which your Container Registry instance belongs.

Procedure

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.

  5. Configure parameters for the RAM role.

    1. Specify RAM Role Name.

    2. Specify Note.

    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account section.

      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.

      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.

        You can view the ID of your Alibaba Cloud account on the Security Settings page.

      Important

      If you want a specific RAM user instead of all RAM users that belong to your Alibaba Cloud account to assume the RAM role, you can use one of the following methods:

  6. Click OK.

  7. Click Close.

Step 2: Attach a policy to the RAM role

Attach the AliyunContainerRegistryCustomizedOSSBucketRolePolicy policy to the RAM role. This policy grants the RAM role the permissions to read information about Container Registry repositories from OSS buckets. To read repository information from multiple custom OSS buckets, you can specify multiple OSS buckets for the Resource parameter.


{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:DeleteObject",
                "oss:ListParts",
                "oss:AbortMultipartUpload",
                "oss:InitiateMultipartUpload",
                "oss:CompleteMultipartUpload",
                "oss:DeleteMultipleObjects",
                "oss:ListMultipartUploads",
                "oss:ListObjects",
                "oss:DeleteObjectVersion",
                "oss:GetObjectVersion",
                "oss:ListObjectVersions",
                "oss:PutObjectTagging",
                "oss:GetObjectTagging",
                "oss:DeleteObjectTagging"
            ],
            "Resource": [
                "acs:oss:*:*:cri-*",
                "acs:oss:*:*:cri-*/*",
                "acs:oss:*:*:<YOUR_BUCKET_NAME>",  # Replace <YOUR_BUCKET_NAME> by using the name of the bucket that you want to access. 
                "acs:oss:*:*:<YOUR_BUCKET_NAME>/*" # Replace <YOUR_BUCKET_NAME> by using the name of the bucket that you want to access. 
            ],
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Action": [
                "oss:PutBucket",
                "oss:GetBucket",
                "oss:GetBucketLocation",
                "oss:PutBucketEncryption",
                "oss:GetBucketEncryption",
                "oss:PutBucketAcl",
                "oss:GetBucketAcl",
                "oss:PutBucketLogging",
                "oss:GetBucketReferer",
                "oss:PutBucketReferer",
                "oss:GetBucketLogging",
                "oss:PutBucketVersioning",
                "oss:GetBucketVersioning",
                "oss:GetBucketLifecycle",
                "oss:PutBucketLifecycle",
                "oss:DeleteBucketLifecycle",
                "oss:GetBucketTransferAcceleration"
            ],
            "Resource": [
                "acs:oss:*:*:cri-*",
                "acs:oss:*:*:cri-*/*",
                "acs:oss:*:*:<YOUR_BUCKET_NAME>",  # Replace <YOUR_BUCKET_NAME> by using the name of the bucket that you want to access. 
                "acs:oss:*:*:<YOUR_BUCKET_NAME>/*" # Replace <YOUR_BUCKET_NAME> by using the name of the bucket that you want to access. 
            ],
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Effect": "Allow",
            "Action": "oss:ListBuckets",
            "Resource": [
                "acs:oss:*:*:*",
                "acs:oss:*:*:*/*"
            ],
            "Condition": {

            }
        },
        {
            "Action": [
                "vpc:DescribeVpcs"
            ],
            "Resource": "acs:vpc:*:*:vpc/*",
            "Effect": "Allow",
            "Condition": {

            }
        },
        {
            "Action": [
                "cms:QueryMetricLast",
                "cms:QueryMetricList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Step 3: Attach a trust policy to the RAM role

Add Container Registry to the trust policy of the RAM role. This way, Container Registry can access the custom OSS buckets.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}