当用户需要使用自定义 OSS bucket 时,需要为账号添加 RAM 角色,并为该 RAM 角色授予对 OSS bucket 操作的权限,然后容器镜像服务才能正常访问该 OSS bucket。
步骤一:创建 RAM 角色
容器镜像服务访问自定义 OSS bucket 时,需要为阿里云账号创建的角色名为 AliyunContainerRegistryCustomizedOSSBucketRole。
- 云账号登录RAM控制台。
- 在左侧导航栏,单击RAM角色管理。
- 单击创建RAM角色。
- 选择可信实体类型为阿里云账号,单击下一步。
- 输入角色名称和备注。
- 选择云账号为当前云账号,单击完成。
说明 若选择其他云账号,需要填写其他云账号的ID。
步骤二:配置 RAM 角色的权限策略
配置该 RAM 角色的策略,使其拥有对指定的 OSS bucket 资源读取容器镜像仓库信息的权限,RAM 角色的权限策略名为 AliyunContainerRegistryCustomizedOSSBucketRolePolicy。当需要获取多个自定义 OSS bucket 信息时,可向 Resource 中添加多个 OSS bucket 值。
{"Version": "1","Statement": [{"Action": ["oss:GetObject","oss:PutObject","oss:DeleteObject","oss:ListParts","oss:AbortMultipartUpload","oss:InitiateMultipartUpload","oss:CompleteMultipartUpload","oss:DeleteMultipleObjects","oss:ListMultipartUploads","oss:ListObjects"],"Resource": ["acs:oss:*:*:<your_bucket_name>","acs:oss:*:*:<your_bucket_name>/*"],"Effect": "Allow","Condition": {}},{"Action": ["oss:PutBucket","oss:GetBucket","oss:GetBucketLocation","oss:PutBucketEncryption","oss:GetBucketEncryption","oss:PutBucketAcl","oss:GetBucketAcl","oss:PutBucketLogging","oss:GetBucketReferer","oss:PutBucketReferer","oss:GetBucketLogging"],"Resource": ["acs:oss:*:*:<your_bucket_name>","acs:oss:*:*:<your_bucket_name>/*"],"Effect": "Allow","Condition": {}},{"Effect": "Allow","Action": "oss:ListBuckets","Resource": ["acs:oss:*:*:*","acs:oss:*:*:*/*"],"Condition": {}},{"Action": ["vpc:DescribeVpcs"],"Resource": "acs:vpc:*:*:vpc/*","Effect": "Allow","Condition": {}},{"Action": ["cms:QueryMetricLast","cms:QueryMetricList"],"Resource": "*","Effect": "Allow"}]
}步骤三:配置 RAM 角色的信任策略
为该 RAM 角色的信任策略中添加容器镜像服务,使容器镜像服务可以访问用户自定义的 OSS bucket。
{"Statement": [{"Action": "sts:AssumeRole","Effect": "Allow","Principal": {"Service": ["cr.aliyuncs.com"]}}],"Version": "1"
}