All Products
Search
Document Center

RAM authentication

Last Updated: Jan 25, 2021

Global Traffic Manager (GTM) provides detailed descriptions of API authentication rules. Resource Access Management (RAM) authentication is used to authenticate custom policies when system policies cannot meet your needs.

Authorization granularities

  • Service: controls whether RAM users can access the GTM service. GTM is a sub-service of Alibaba Cloud DNS and can reuse the AliyunDNSFullAccess and AliyunDNSReadyOnlyAccess system policies of Alibaba Cloud DNS. These two policies grant service-level permissions.

  • Action: controls whether RAM users can call specified GTM API operations to perform specific operations on a type of service resource.

  • Resource: controls whether RAM users can perform a specific operation on a service resource.

The following table describes the DNS resources that can be authorized in RAM.

Resource type

Resource description in an authorization policy

Description

instance

acs:alidns::{#accountId}:gtminstance/*

Authorizes a RAM user to manage GTM instances. For example, the RAM user can query instances in a resource group or query the details about an instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DNS resource types

For example, full permissions are granted to a RAM user to manage a GTM instance. The Resource field indicates the DNS resource type settings.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "alidns:*",
            "Resource": "acs:alidns:*:*:gtmInstance /Enter the ID of your GTM instance."
            "Effect": "allow"
        },
        {
            "Action": [
                "alidns:DescribeGtmInstances",
                "alidns:DescribeDnsGtmInstances",
                "alidns:DescribeDnsGtmInstanceStatus",
                "alidns:DescribeDnsGtmAvailableAlertGroup",
                "alidns:DescribeDomains",
                "alidns:DescribeDnsGtmAddressPoolAvailableConfig",
                "alidns:DescribeDnsGtmMonitorAvailableConfig",
                "alidns:GetMainDomainName",
                "alidns:CheckDomainRecord"
            ],
            "Resource": "acs:alidns::*:*",
            "Effect": "allow"
        }
    ]
}

Authentication rules of API operations

Action

Description

Authentication rule

AddDnsGtmAddressPool

Creates an address pool for a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmInstanceAddressPool

Queries detailed information about an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmInstanceAddressPools

Queries the address pools of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

UpdateDnsGtmAddressPool

Modifies the configurations of an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DeleteDnsGtmAddressPool

Deletes an address pool from a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmAddressPoolAvailableConfig

Queries the available configurations of an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmAddrAttributeInfo

Queries the source regions of addresses.

acs:alidns::{#accountId}:gtminstance/*

ValidateDnsGtmAttributeInfo

Validates the source regions of addresses.

acs:alidns::{#accountId}:gtminstance/*

DescribeDnsGtmInstances

Queries GTM instances in a resource group.

acs:alidns::{#accountId}:gtminstance/*

DescribeDnsGtmInstance

Queries detailed information about a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmInstanceStatus

Queries the status of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

SwitchDnsGtmInstanceStrategyMode

Switches the access policy type for a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmInstanceSystemCname

Queries the CNAME domain name assigned by the system for a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmAvailableAlertGroup

Queries the available alert groups for a GTM instance.

acs:alidns::{#accountId}:gtminstance/*

UpdateDnsGtmInstanceGlobalConfig

Modifies the configurations of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

AddDnsGtmAccessStrategy

Creates an access policy for a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

UpdateDnsGtmAccessStrategy

Modifies an access policy of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DeleteDnsGtmAccessStrategy

Deletes an access policy from a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

SetGtmAccessMode

Modifies the primary/secondary switchover policy for active address pool groups of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmAccessStrategies

Queries the access policies of a GTM instance.

acs:alidns::{#accountId}:gtminstance/*

DescribeDnsGtmAccessStrategy

Queries detailed information about an access policy of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmAccessStrategyAvailableConfig

Queries the available configurations of an access policy of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

AddDnsGtmMonitor

Creates a health check task for an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

UpdateDnsGtmMonitor

Modifies the configurations of a health check task for an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

SetDnsGtmMonitorStatus

Sets the status of the health check feature for an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmMonitorConfig

Queries the health check configurations of an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/{#instanceId}

DescribeDnsGtmMonitorAvailableConfig

Queries the available health check configurations for an address pool of a GTM instance.

acs:alidns::{#accountId}:gtminstance/*

DescribeDnsGtmLogs

Queries logs of a GTM instance.

acs:alidns::## accountId}:gtminstance/{#instanceId}(if instanceId is specified)

acs:alidns::# accountId}:gtminstance/* (if instanceId is not specified)