All Products
Search

This Product

    Container Registry:Grant permissions to a RAM role before you use a custom domain name of a Container Registry instance to manage SSL certificates

    Document Center

    Container Registry:Grant permissions to a RAM role before you use a custom domain name of a Container Registry instance to manage SSL certificates

    Last Updated:Jan 23, 2024

    If you want to use a custom domain name of a Container Registry instance to access and manage SSL certificates, you can add a RAM role to the Alibaba Cloud account of the Container Registry instance and grant the RAM role the permissions to perform operations on SSL certificates. This way, Container Registry can access SSL certificates in a secure method. This topic describes how to grant permissions to a RAM role before you use a custom domain name to manage SSL certificates.

    Step 1: Create a RAM role

    Before you use a custom domain name of a Container Registry instance to access SSL certificates, you must create a role named AliyunContainerRegistryCustomizedDomainRole for your Alibaba Cloud account of the Container Registry instance.

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.

    5. Set the RAM Role Name parameter to AliyunContainerRegistryCustomizedDomainRole and set the Note parameters as needed. Select Current Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter. Then, click OK.

      Note

      If you select Other Alibaba Cloud Account, enter the ID of another Alibaba Cloud account.

    Step 2: Attach a policy to the RAM role

    You must attach the AliyunYundunCertReadOnlyAccess policy to the RAM role. This policy grants the RAM role the read permissions on SSL certificates.

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the management page of RAM roles, enter AliyunContainerRegistryCustomizedDomainRole in the search box to search for the RAM role. Click Add Permissions in the Actions column corresponding to AliyunContainerRegistryCustomizedDomainRole.

    4. In the Add Permissions panel, select System Policy as the policy type. Click AliyunYundunCertReadOnlyAccess in the Authorization Policy Name column.

      Note

      In the Selected section on the right, you can click the cross (×) to the right of a policy to remove the policy.

    5. Click OK.

    6. Click Complete.

    Step 3: Configure a trust policy for the RAM role

    Add Container Registry to the trust policy of the RAM role. This grants Container Registry access to SSL certificates.

    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click AliyunContainerRegistryCustomizedDomainRole in the Role Name column.

    4. Click the Trust Policy Management tab. On this tab, click Edit Trust Policy.

    5. In the Edit Trust Policy panel, copy the following content to the code editor and click OK. 

      {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}