When you enable the log storage feature in Dynamic Route for CDN (DCDN), the system automatically creates the service-linked role (SLR) AliyunServiceRoleForDCDNLogDelivery and grants the service-linked role the permissions to access resources in Object Storage Service (OSS) and Data Lake Analytics (DLA).

Overview

AliyunServiceRoleForDCDNLogDelivery is an SLR of DCDN. When you enable the log storage feature in DCDN, DCDN must assume the SLR to access resources in OSS and DLA. This allows DCDN to deliver log data to other services. Make sure that the geographic location where the log data is stored complies with the regulations. For more information about SLRs, see Service-linked roles.

Create AliyunServiceRoleForDCDNLogDelivery

If this is the first time you enable the log storage feature in DCDN, the system automatically creates the SLR AliyunServiceRoleForDCDNLogDelivery and attaches the permission policy AliyunServiceRolePolicyForDCDNLogDelivery to the SLR. DCDN can assume the SLR to access OSS and DLA after the log storage feature is enabled. You can perform the following operations in OSS and DLA:
  • OSS: Create and query OSS buckets, write data to OSS buckets, query data in OSS buckets, and delete data from OSS buckets.
  • DLA: Enable, query, and disable DLA tasks.
Note If AliyunServiceRoleForDCDNLogDelivery is already created for DCDN, the system does not create it again.
The following code block shows the content of the permission policy:
{

  "Version": "1",
  "Statement": [
    {
      "Action": [
        "openanalytics:CreateInstance",
        "openanalytics:UpgradeInstance",
        "openanalytics:ReleaseInstance",
        "openanalytics:ExecuteSQL",
        "openanalytics:QueryExecute",
        "openanalytics:DescribeVirtualCluster",
        "openanalytics:ListSparkJob",
        "openanalytics:GetJobStatus",
        "openanalytics:GetJobDetail",
        "openanalytics:GetJobLog",
        "openanalytics:KillSparkJob",
        "openanalytics:SubmitSparkJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:PutBucket",
        "oss:GetBucketInfo"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*"
    },
    {
      "Action": [
        "oss:GetObject",
        "oss:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*/alicdn-offline-log/*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "openanalytics.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.dcdn.aliyuncs.com"
        }
      }
    }
  ]
}

Delete AliyunServiceRoleForDCDNLogDelivery

If you no longer use the log storage feature and want to delete the SLR AliyunServiceRoleForDCDNLogDelivery, perform the following steps:

  1. Disable log storage.
    1. Log on to the DCDN console.
    2. In the left-side navigation pane, choose Logs > Offline Logs.
    3. On the Logs page, click the Log Storage tab.
    4. Click Close Delivery Task.
    5. In the dialog box that appears, click OK.
  2. Delete AliyunServiceRoleForDCDNLogDelivery.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click RAM Roles.
    3. In the RAM Role Name column, find the SLR AliyunServiceRoleForDCDNLogDelivery and click Delete.
      Note If the SLR fails to be deleted, check whether log storage has been disabled.