Authorize a RAM user to prefetch and refresh resources - CDN

By default, Resource Access Management (RAM) users do not have permissions to prefetch or refresh resources. You can attach system or custom permission policies to a RAM user to allow the RAM user to prefetch and refresh resources.

Prerequisites

A RAM user is created. If no RAM user is created, create one. For more information, see Create a RAM user.

Background information

By default, RAM users do not have permissions to prefetch or refresh resources. If you log on to the Alibaba Cloud CDN console and attempt to prefetch or refresh resources as a RAM user, the following error message appears: The account does not have access to the page interface, or the interface does not support RAM access control. In this case, you must grant the required permissions to the RAM user.

RAM supports two types of permission policies: system policy and custom policy. You can attach a system or custom policy to the RAM user to allow the RAM user to prefetch and refresh resources.

System policies
System policies are automatically created by Alibaba Cloud and cannot be modified. A system policy grants RAM users full permissions on Alibaba Cloud CDN. Only a few steps are required to grant permissions to RAM users by using system policies. For more information, see Method 1: Attach a system policy to a RAM user.
Custom policies
You can create, update, and manage custom policies based on business requirements. Custom policies grant RAM users only specified permissions. For example, you can use a custom policy to allow a RAM user only to prefetch and refresh resources, or manage the log storage feature. In this case, the RAM user does not have permissions to perform operations other than the authorized ones. For more information, see Method 2: Attach a custom policy to a RAM user.

Method 1: Attach a system policy to a RAM user

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the required parameters.
1. In the Authorized Scope section, select Alibaba Cloud Account.
2. Click System Policy.
3. Enter AliyunCDN in the search box. All system policies that are related to Alibaba Cloud CDN are displayed.
4. Click AliyunCDNFullAccess to add the policy to the Selected list.
  Note The AliyunCDNFullAcces policy grants the RAM user full permissions on Alibaba Cloud CDN. The RAM user has permissions to call CDN API operations and manage all accelerated domain names.
Click OK.
Click Complete.

Method 2: Attach a custom policy to a RAM user

Create a custom policy.

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy content.
In the editor, enter the following policy content. This policy grants the RAM user permissions on the prefetch and refresh API operations. The RAM user can call API operations to prefetch or refresh resources.
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cdn:PushObjectCache",
        "cdn:RefreshObjectCaches",
        "cdn:DescribeRefreshTasks",
        "cdn:DescribeRefreshQuota"
      ],
      "Resource": "acs:cdn:*:*:*",
      "Effect": "Allow"
    }
  ]
}
```
Note
- All API operations of Alibaba Cloud CDN can be defined in custom policies. You can add other API operations to custom policies based on your business requirements. After you attach these policies to RAM users, the RAM users have permissions to call the specified API operations. For more information about the actions that you can authorize RAM users to perform, see RAM authentication.
- The policy content must be expressed in a specific syntax structure to describe the authorized resource sets, operation sets, and authorization conditions. For more information, see Policy elements and Policy structure and syntax.
Click Next to edit policy information.
Specify the Name and Description fields.
Check and optimize the document of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- Optional:Advanced optimization
  You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Grant permissions to a RAM user

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.

In the Add Permissions panel, set the following parameters.


Parameter	Description
Authorized Scope	Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
Principal	The current RAM user is automatically selected.
Select Policy	Click the Custom Policy tab. Enter the name of the custom policy that you created. The name of the custom policy in this example is `AliyunCdnRefresh`. After the system displays the policy, click its name to add it to the Selected list.

Click OK.
Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user