By default, RAM users do not have permissions to enable or manage the log storage feature of Dynamic Route for CDN (DCDN). If you want to allow a RAM user to enable or manage log storage, you must grant the RAM user the required permissions. You can use custom permission policies to implement fine-grained access control.

Background information

Resource Access Management (RAM) is an identity management and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other identities. You can manage the permissions of RAM users to control their access to Alibaba Cloud resources.

Scenarios

In this topic, a permission policy is used to grant a RAM user full permissions on log storage. The permission policy allows the RAM user to enable, manage, query, modify, and disable log storage.
Note The logic of the API operations that are related to log storage is complex and involves multiple services. Therefore, the API operations described in this topic are not available for use. We recommend that you perform operations in the DCDN console.

Step 1: Create a custom permission policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Define the permission policy.
    Figure 1. Create a custom permission policy
    Create a custom permission policy
    Parameter Description
    Policy Name Enter an informative name for easy identification.
    Note Optional. Enter a description for the custom permission policy.
    Configuration Mode Select Script. This mode supports more flexible configurations.
    Policy Document Enter content for the permission policy. You do not need to import existing policies.
    Grant the RAM user full permissions on log storage. Allow the RAM user to enable, manage, query, modify, and disable log storage. The following code block shows the content of the custom permission policy:
    Note If you want to grant specified permissions to a RAM user, specify only the permissions that you want to grant.
    {
        "Statement": [
          {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "acs:ram:*:*:role/*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "logdelivery.dcdn.aliyuncs.com"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "dcdn:DescribeDcdnUserDomains",
                    "dcdn:CreateDcdnDomainOfflineLogDelivery",
                    "dcdn:DescribeDcdnOfflineLogDeliveryStatus",
                    "dcdn:DescribeDcdnOfflineLogDelivery",
                    "dcdn:DescribeDcdnOfflineLogDeliveryField",
                    "dcdn:DescribeDcdnOfflineLogDeliveryRegions",
                    "dcdn:DisableDcdnDomainOfflineLogDelivery",
                    "dcdn:DisableDcdnOfflineLogDelivery",
                    "dcdn:EnableDcdnDomainOfflineLogDelivery"
                ],
                "Resource": "acs:dcdn:*:*:*"
            }
        ],
        "Version": "1"
    }
    The following table describes the API operations that can be defined in a custom permission policy.
    Operation Required Purpose Description
    DescribeDcdnUserDomains Yes Queries all domain names that are added to DCDN. If you grant a RAM user permissions on this API operation, the RAM user can query all domain names that are added to DCDN, and configure log storage for these domain names.
    CreateDcdnDomainOfflineLogDelivery No Enables log storage. If you do not want a RAM user to enable log storage, do not grant the RAM user permissions on this API operation.
    DescribeDcdnOfflineLogDeliveryStatus Yes Queries whether log storage is enabled. If RAM users want to query whether log storage is enabled, or to enable log storage, they require permissions on this API operation.
    DescribeDcdnOfflineLogDelivery Yes Queries domain names that have log storage enabled. If you grant a RAM user permissions on this API operation, the RAM user can query domain names that have log storage enabled.
    DescribeDcdnOfflineLogDeliveryField Yes Queries fields that are supported by log storage. If RAM users want to query whether log storage is enabled, or to enable log storage, they require permissions on this API operation.
    DescribeDcdnOfflineLogDeliveryRegions Yes Queries regions in which log storage is supported. None.
    DisableDcdnDomainOfflineLogDelivery No Disables domain names that have log storage enabled. If you grant a RAM user permissions on this API operation, the RAM user can disable domain names that have log storage enabled. Proceed with caution.
    EnableDcdnDomainOfflineLogDelivery No Enables log storage for a domain name. If you grant a RAM user permissions on this API operation, the RAM user can create a log storage task for a domain name. Proceed with caution.
    DisableDcdnOfflineLogDelivery No Disables log storage. If you grant a RAM user permissions on this API operation, the RAM user can disable log storage. If you want to use log storage again, you must enable and configure log storage. Proceed with caution.
  5. Click OK.

Step 2: Grant permissions to the RAM user

  1. Log on to the RAM console.
  2. Create a RAM user.
    Note If you have created a RAM user, skip this step.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  5. In the Add Permissions panel, set the following parameters.
    Figure 2. Add permissions
    Add permissions
    Parameter Description
    Authorized Scope Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
    Principal The current RAM user is selected by default.
    Select Policy Select Custom Policy, and click the name of the custom policy created in Step 1. The custom policy is then added to the right-side Selected list.
    Note If you want to allow the RAM user to enable log storage, attach the AliyunDLAFullAccess permission policy to the RAM user. If this permission policy is not attached to the RAM user, the RAM user is unable to enable log storage.
  6. Click OK.
  7. Click Complete.

What to do next

Log on to the console as a RAM user