When you enable the log storage feature in Dynamic Route for CDN (DCDN), the system automatically creates the service-linked role (SLR) AliyunServiceRoleForDCDNLogDelivery and grants the SLR the permissions to access resources in Object Storage Service (OSS) and Data Lake Analytics (DLA).

AliyunServiceRoleForDCDNLogDelivery

AliyunServiceRoleForDCDNLogDelivery is an SLR of DCDN. If you enable the log storage feature in DCDN, DCDN assumes the SLR and uses the permissions that are granted to the SLR to access resources in OSS and DLA. This way, DCDN can deliver log data to other services. Make sure that the geographical location where the log data is stored complies with the local laws and regulations. For more information about SLRs, see Service-linked roles.

Create AliyunServiceRoleForDCDNLogDelivery

The first time you enable the log storage feature in DCDN, the system automatically creates the SLR AliyunServiceRoleForDCDNLogDelivery and attaches the permission policy AliyunServiceRolePolicyForDCDNLogDelivery to the SLR. After the log storage feature is enabled, DCDN assumes the SLR and uses the permissions that are granted to the SLR to access resources in OSS and DLA. Then, you can perform the following operations in OSS and DLA:
  • OSS: Create and query OSS buckets, write data to OSS buckets, query data in OSS buckets, and delete data from OSS buckets.
  • DLA: Enable, query, and disable DLA tasks.
Notice If AliyunServiceRoleForDCDNLogDelivery is created for DCDN, the system does not create the SLR again.
The following code block shows the content of the permission policy:
{

  "Version": "1",
  "Statement": [
    {
      "Action": [
        "openanalytics:CreateInstance",
        "openanalytics:UpgradeInstance",
        "openanalytics:ReleaseInstance",
        "openanalytics:ExecuteSQL",
        "openanalytics:QueryExecute",
        "openanalytics:DescribeVirtualCluster",
        "openanalytics:ListSparkJob",
        "openanalytics:GetJobStatus",
        "openanalytics:GetJobDetail",
        "openanalytics:GetJobLog",
        "openanalytics:KillSparkJob",
        "openanalytics:SubmitSparkJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:PutBucket",
        "oss:GetBucketInfo"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*"
    },
    {
      "Action": [
        "oss:GetObject",
        "oss:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*/alicdn-offline-log/*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "openanalytics.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.dcdn.aliyuncs.com"
        }
      }
    }
  ]
}

Delete AliyunServiceRoleForDCDNLogDelivery

If you no longer require the log storage feature and want to delete the SLR AliyunServiceRoleForDCDNLogDelivery, perform the following steps:

  1. Disable log storage.
    1. Log on to the DCDN console.
    2. In the left-side navigation pane, choose Logs > Offline Log.
    3. On the Logs page, click the Log Storage tab.
    4. Click Close Delivery Task.
    5. Click OK.
  2. Delete AliyunServiceRoleForDCDNLogDelivery.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the Role Name column, find the SLR AliyunServiceRoleForDCDNLogDelivery and click Delete.
      Note If the SLR fails to be deleted, check whether log storage has been disabled.