Step 1: Create a custom permission policy

Define the permission policy.
Figure 1. Create a custom permission policy
Create a custom permission policy
Grant the RAM user full permissions on the log storage feature. Allow the RAM user to enable, manage, query, modify, and disable log storage. The following code block shows the content of the permission policy:
{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:*:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "logdelivery.cdn.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cdn:DescribeUserDomains",
                "cdn:CreateCdnDomainOfflineLogDelivery",
                "cdn:DescribeCdnOfflineLogDeliveryStatus",
                "cdn:DescribeCdnOfflineLogDelivery",
                "cdn:DescribeCdnOfflineLogDeliveryField",
                "cdn:DescribeCdnOfflineLogDeliveryRegions",
                "cdn:DisableCdnDomainOfflineLogDelivery",
                "cdn:DisableCdnOfflineLogDelivery",
                "cdn:EnableCdnDomainOfflineLogDelivery"
            ],
            "Resource": "acs:cdn:*:*:*"
        }
    ],
    "Version": "1"
}
The following table describes the API operations that can be defined in a custom permission policy.
API Required Function Description
DescribeUserDomains Yes Queries all domain names that are added to Alibaba Cloud CDN. If you grant a RAM user permissions on this API operation, the RAM user can query all domain names that are added to Alibaba Cloud CDN, and configure log storage for these domain names.
CreateCdnDomainOfflineLogDelivery No Enables log storage. If you do not want a RAM user to enable log storage, do not grant the RAM user permissions on this API operation.
DescribeCdnOfflineLogDeliveryStatus Yes Queries whether log storage is enabled. RAM users require permissions on this API operation if they want to query whether log storage is enabled, or enable log storage.
DescribeCdnOfflineLogDelivery Yes Queries domain names that have log storage enabled. If you grant a RAM user permissions on this API operation, the RAM user can query domain names that have log storage enabled.
DescribeCdnOfflineLogDeliveryField Yes Queries fields that are supported by log storage. RAM users require permissions on this API operation if they want to query or enable log storage.
DescribeCdnOfflineLogDeliveryRegions Yes Queries regions in which log storage is supported. N/A
DisableCdnDomainOfflineLogDelivery No Disables domain names that have log storage enabled. If you grant a RAM user permissions on this API operation, the RAM user can disable domain names that have log storage enabled. Proceed with caution.
EnableCdnDomainOfflineLogDelivery No Creates a log storage task for a domain name. If you grant a RAM user permissions on this API operation, the RAM user can create a log storage task for a domain name. Proceed with caution.
DisableCdnOfflineLogDelivery No Disables log storage. If you grant a RAM user permissions on this API operation, the RAM user can disable log storage. If you want to use log storage again, you must enable and configure log storage. Proceed with caution.

Step 2: Grant permissions to the RAM user

In the Add Permissions penal, set the following parameters.
Parameter Description
Authorized Scope Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
Principal The current RAM user is selected by default.
Select Policy Select Custom Policy, and click the name of the custom policy created in Step 1. The custom policy is then added to the right-side Selected list.