All Products
Search

This Product

    Container Registry:Grant permissions to a RAM role before you use a custom domain name of a Container Registry instance to manage SSL certificates

    Document Center

    Container Registry:Grant permissions to a RAM role before you use a custom domain name of a Container Registry instance to manage SSL certificates

    Last Updated:Dec 11, 2024

    If you want to use a custom domain name of a Container Registry instance to access and manage SSL certificates, you can add a RAM role to the Alibaba Cloud account of the Container Registry instance and grant the RAM role the permissions to perform operations on SSL certificates. This way, Container Registry can access SSL certificates in a secure method. This topic describes how to grant permissions to a RAM role before you use a custom domain name to manage SSL certificates.

    Step 1: Create a RAM role

    Before you use a custom domain name of a Container Registry instance to access SSL certificates, you must create a role named AliyunContainerRegistryCustomizedDomainRole for your Alibaba Cloud account of the Container Registry instance.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.

    5. Set the RAM Role Name parameter to AliyunContainerRegistryCustomizedDomainRole and set the Note parameters as needed. Select Current Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter. Then, click OK.

      Note

      If you select Other Alibaba Cloud Account, enter the ID of another Alibaba Cloud account.

    Step 2: Attach a policy to the RAM role

    You must attach the AliyunYundunCertReadOnlyAccess policy to the RAM role. This policy grants the RAM role the read permissions on SSL certificates.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Grant Permission in the Actions column that corresponds to the AliyunContainerRegistryCustomizedDomainRole role.

    4. In the Grant Permission panel, set Resource Scope to Account, enter AliyunYundunCertReadOnlyAccess in the Policy search box to search for and select AliyunYundunCertReadOnlyAccess.

      Note

      In the Selected section on the right, you can click the cross (×) to the right of a policy to remove the policy.

    5. Click Grant permissions.

    6. Click Close.

    Step 3: Configure a trust policy for the RAM role

    Add Container Registry to the trust policy of the RAM role. This grants Container Registry access to SSL certificates.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click AliyunContainerRegistryCustomizedDomainRole in the Role Name column.

    4. On the Trust Policy tab, click Edit Trust Policy.

    5. In the Edit Trust Policy panel, copy the following content to the code editor and click OK. 

      {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}