Before you call the API operations of Alibaba Cloud Content Delivery Network (CDN) by using Resource Access Management (RAM) users, you must use your Alibaba Cloud account to grant required permissions to the RAM users. You can use Alibaba Cloud Resource Names (ARNs) to specify authorized resources. This topic describes the CDN resource types and API operations that you can authorize. If you do not require the authorization for RAM users, skip this topic.

You can use your Alibaba Cloud account or a RAM user to manage your CDN resources by using the CDN console or by calling API operations. Specific permissions are required when:
  • Your RAM user has no permissions to manage the CDN resources that belong to your Alibaba Cloud account.
  • You want to manage the CDN resources that must be authorized by the resource owners.

When an account requests access to CDN resources for your Alibaba Cloud account by calling CDN API operations, Alibaba Cloud CDN instructs RAM to perform a permission check to ensure that the required permissions have been granted to the account that sends the request. Required permissions vary, depending on the requested CDN resources and API operations. For more information about how to grant permissions, see RAM documentation and API Reference.

For more information about how to use RAM users to manage Alibaba Cloud CDN, see Create a RAM user for CDN.

For more information about how to use RAM to create custom policies for Alibaba Cloud CDN, see Use RAM to manage Alibaba Cloud CDN permissions.

Available CDN Resource Types

The following table describes the CDN resource types that can be authorized in RAM.

Resource type Resource description in an authorization policy Description
service acs:cdn:*:$accountid:* Authorizes RAM users to manage the CDN service, for example, to change configurations and query account information.
domain acs:cdn:*:$accountid:domain/$domainName Authorizes RAM users to manage your domain names, for example, to add, configure, and query domain names.

$domainName specifies permissions on a specified domain name or wildcard domain name, such as *.aliyun.com.

The asterisk (*) at the end of the resource description indicates that all domain names are authorized.

acs:cdn:*:$accountid:domain/*

Available CDN API operations

The following table describes the API operations of Alibaba Cloud CDN that can be authorized.

API Resource description
OpenCdnService acs:cdn:*:$accountid:*
DescribeCdnService acs:cdn:*:$accountid:*
ModifyCdnService acs:cdn:*:$accountid:*
DescribeUserDomains acs:cdn:*:$accountid:domain/*
DescribeCdnDomainDetail acs:cdn:*:$accountid:domain/$domainName
AddCdnDomain acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
StartCdnDomain acs:cdn:*:$accountid:domain/$domainName
StopCdnDomain acs:cdn:*:$accountid:domain/$domainName
DeleteCdnDomain acs:cdn:*:$accountid:domain/$domainName
RefreshObjectCaches acs:cdn:*:$accountid:domain/$domainName
PushObjectCache acs:cdn:*:$accountid:domain/$domainName
DescribeRefreshTasks acs:cdn:*:$accountid:domain/*
DescribeRefreshQuota acs:cdn:*:$accountid:domain/*
ForbidLiveStream acs:cdn:*:$accountid:domain/$domainName
DescribeDomainBpsData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainSrcBpsData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainHitRateData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainQpsData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainHttpCodeData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainsUsageByDay acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeTopDomainsByFlow acs:cdn:*:$accountid:domain/*
DescribeDomainPvData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainUvData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainRegionData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainISPData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainTopUrlVisit acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeDomainFileSizeProportionData acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeCdnDomainLogs acs:cdn:*:$accountid:domain/*
acs:cdn:*:$accountid:domain/$domainName
DescribeIpInfo acs:cdn:*:$accountid:domain/*