RAM authorization - New API Reference| Alibaba Cloud Documentation Center

Before you call the Alibaba Cloud Content Delivery Network (CDN) API as a Resource Access Management (RAM) user, make sure that you are granted the required permissions by the Alibaba Cloud account. In a permission policy, you must use an Alibaba Cloud Resource Name (ARN) to specify the resource that the RAM user is allowed to access. This topic describes how to define a resource or an API operation in a permission policy.

By default, you can use your Alibaba Cloud account or a RAM user to manage your CDN resources in the CDN console or by calling API operations. Specific permissions are required in the following scenarios:

A newly created RAM user does not have permissions to manage the CDN resources that belong to your Alibaba Cloud account.
Before you can manage a resource, you must be granted the required permissions on the resource and the relevant API operations by the resource owner.

When another Alibaba Cloud account attempts to access CDN resources that belong to your Alibaba Cloud account by calling API operations, Alibaba Cloud CDN instructs RAM to check whether the Alibaba Cloud account has the required permissions. Required permissions vary based on the requested CDN resources and API operations. For more information about how to grant permissions, see the RAM documents and API references.

For more information about how to manage Alibaba Cloud CDN as a RAM user, see Create a RAM user.

For more information about how to use RAM to create custom permission policies for Alibaba Cloud CDN, see Use RAM to manage Alibaba Cloud CDN permissions.

For more information about how to authorize a RAM user to prefetch and refresh resources, see Authorize a RAM user to prefetch and refresh resources.

Supported resources

The following table describes the CDN resources that can be defined in permission policies.

Note $accountid represents the ID of the Alibaba Cloud account. You can use an asterisk (*) to specify all account IDs.


Resource type	Syntax	Description
service	acs:cdn::$accountid:	Authorizes RAM users to manage the CDN service, for example, to change the specifications and query account information.
domain	acs:cdn:*:$accountid:domain/$domainName	Authorizes RAM users to manage accelerated domain names, for example, to add, configure, and query domain names. $domainName specifies a specific domain name. You can use an asterisk () in the expression to specify a wildcard domain name, such as .aliyun.com. You can append an asterisk () to the end of the expression, such as acs:cdn::$accountid:domain/*, to specify all domain names.
domain	acs:cdn::$accountid:domain/

Supported CDN API operations

The following table describes the API operations of Alibaba Cloud CDN that can be defined in permission policies.


API operation	Syntax
OpenCdnService	acs:cdn::$accountid:
DescribeCdnService	acs:cdn::$accountid:
ModifyCdnService	acs:cdn::$accountid:
DescribeUserDomains	acs:cdn::$accountid:domain/
DescribeCdnDomainDetail	acs:cdn:*:$accountid:domain/$domainName
AddCdnDomain	acs:cdn::$accountid:domain/
AddCdnDomain	acs:cdn:*:$accountid:domain/$domainName
StartCdnDomain	acs:cdn:*:$accountid:domain/$domainName
StopCdnDomain	acs:cdn:*:$accountid:domain/$domainName
DeleteCdnDomain	acs:cdn:*:$accountid:domain/$domainName
RefreshObjectCaches	acs:cdn:*:$accountid:domain/$domainName
PushObjectCache	acs:cdn:*:$accountid:domain/$domainName
DescribeRefreshTasks	acs:cdn::$accountid:domain/
DescribeRefreshQuota	acs:cdn::$accountid:domain/
ForbidLiveStream	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainBpsData	acs:cdn::$accountid:domain/
DescribeDomainBpsData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainSrcBpsData	acs:cdn::$accountid:domain/
DescribeDomainSrcBpsData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainHitRateData	acs:cdn::$accountid:domain/
DescribeDomainHitRateData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainQpsData	acs:cdn::$accountid:domain/
DescribeDomainQpsData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainHttpCodeData	acs:cdn::$accountid:domain/
DescribeDomainHttpCodeData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainsUsageByDay	acs:cdn::$accountid:domain/
DescribeDomainsUsageByDay	acs:cdn:*:$accountid:domain/$domainName
DescribeTopDomainsByFlow	acs:cdn::$accountid:domain/
DescribeDomainPvData	acs:cdn::$accountid:domain/
DescribeDomainPvData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainUvData	acs:cdn::$accountid:domain/
DescribeDomainUvData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainRegionData	acs:cdn::$accountid:domain/
DescribeDomainRegionData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainISPData	acs:cdn::$accountid:domain/
DescribeDomainISPData	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainTopUrlVisit	acs:cdn::$accountid:domain/
DescribeDomainTopUrlVisit	acs:cdn:*:$accountid:domain/$domainName
DescribeDomainFileSizeProportionData	acs:cdn::$accountid:domain/
DescribeDomainFileSizeProportionData	acs:cdn:*:$accountid:domain/$domainName
DescribeCdnDomainLogs	acs:cdn::$accountid:domain/
DescribeCdnDomainLogs	acs:cdn:*:$accountid:domain/$domainName
DescribeIpInfo	acs:cdn::$accountid:domain/