All Products
Search
Document Center

Dynamic Content Delivery Network:Examples on how to authorize a RAM user to activate DCDN and modify configurations

Last Updated:May 06, 2023

By default, new Resource Access Management (RAM) users do not have permissions to activate Alibaba Cloud Dynamic Content Delivery Network (DCDN) or change the metering method of DCDN. If you want to activate DCDN or change the metering method of DCDN, you need to log on to the RAM console and grant permissions to the RAM users.

Prerequisites

A RAM user is created. If you have not created a RAM user, follow the instructions provided in Create a RAM user to create a RAM user.

Background information

RAM is an Alibaba Cloud service that is used to manage user identities and resource access permissions. RAM supports system and custom policies. You can use system policies to grant full permissions (including service activation and configuration modification) on DCDN to RAM users. You can use custom policies to grant RAM users the permissions to activate DCDN or modify configurations, or the permissions to activate DCDN and modify configurations.

  • System policies

    System policies are configured and provided by Alibaba Cloud. You cannot modify system policies. A system policy grants full permissions (including service activation and configuration modification) on DCDN to RAM users. Only a few steps are required to grant permissions to RAM users by using system policies.

  • Custom policies

    You can create or modify custom policies to implement fine-grained permission control. For example, you can use custom policies to grant RAM users the permissions to activate DCDN or modify configurations, or the permissions to activate DCDN and modify configurations.

Permission scopes

The following table describes the scopes of the permissions that you can grant to a RAM user. For example, you can grant a RAM user the permissions to activate DCDN or modify configurations.

Note

In this topic, configuration modification refers to the change of the metering method.

Permission

Description

References

Full permissions (including service activation and configuration modification)

Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings, activate DCDN, and change the metering method.

Example 1: Attach a system policy to a RAM user (including service activation and configuration modification)

Full permissions (excluding service activation)

Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and change the metering method. The permissions to activate DCDN are excluded.

Example 2: Attach a custom policy to a RAM user (including service activation or configuration modification)

Full permissions (excluding configuration modification)

Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and activate DCDN. The permissions to change the metering method are excluded.

Only service activation permissions

Only the permissions to activate DCDN.

Only configuration modification permissions

Only the permissions to change the metering method.

Only service activation and configuration modification permissions

Only the permissions to activate DCDN and change the metering method.

Example 3: Attach a custom policy to a RAM user (only service activation and configuration modification)

Full permissions (excluding service activation and configuration modification)

Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings. The permissions to activate DCDN and change the metering method are excluded.

Example 4: Attach a custom policy to a RAM user (excluding service activation and configuration modification)

Example 1: Attach a system policy to a RAM user (including service activation and configuration modification)

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, configure the required parameters.

    Grant permissions
    1. In the Authorized Scope section, select Alibaba Cloud Account.

      Note

      If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.

    2. Select System Policy.

    3. Enter DCDN in the search box. All system policies that are related to DCDN are displayed.

    4. Click AliyunDCDNFullAccess to add the policy to the Selected list.

  5. Click OK.

  6. Click Complete.

Example 2: Attach a custom policy to a RAM user (including service activation or configuration modification)

  1. Create a custom policy.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the JSON tab and configure a custom policy.

      Figure 1 JSONJSON

      The following code block shows the content of the custom policy:

      Full permissions (excluding service activation)

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "dcdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "dcdn:OpenDcdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "logdelivery.dcdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ]
      }

      Full permissions (excluding configuration modification)

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "dcdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "dcdn:ModifyDcdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "logdelivery.dcdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ]
      }

      Only service activation permissions

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "dcdn:OpenDcdnService"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }

      Only configuration modification permissions

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "dcdn:ModifyDcdnService"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
    5. Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.

      Figure 2 Basic informationBasic information

      Parameter

      Description

      Name

      Enter a name for the custom policy. In this example, AliyunDcdntest is used.

      Description

      Enter a description for the custom policy. This parameter is optional.

    6. Check and optimize the content of the custom policy.

      • Basic optimization

        The system automatically performs basic optimization on the policy statement. The system performs the following operations during basic optimization:

        • Deletes unnecessary conditions.

        • Deletes unnecessary arrays.

      • Optional: Advanced optimization

        You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during advanced optimization:

        • Splits resources or conditions that are incompatible with actions.

        • Reduces the number of resources.

        • Deduplicates or merges policy statements.

    7. Click OK.

  2. Grant the required permissions to the RAM user that you use.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

      1
    4. In the Add Permissions panel, configure the required parameters.

      Add permissions 01

      Parameter

      Description

      Authorized Scope

      Select Alibaba Cloud Account.

      Note

      If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.

      Principal

      The current RAM user is automatically selected.

      Select Policy

      Click Custom Policy. Enter the name of the custom policy that you created in Step 1. In this example, the name of the custom policy is AliyunDcdntest. After the system displays the custom policy, click the name of the custom policy to add the policy to the Selected list.

    5. Click OK.

    6. Click Complete.

Example 3: Attach a custom policy to a RAM user (only service activation and configuration modification)

  1. Create a custom policy.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the JSON tab and configure a custom policy.

      Figure 3 JSONJSON

      The following code block shows the content of the custom policy:

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "dcdn:OpenDcdnService",
                       "dcdn:ModifyDcdnService"
                  ],
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
    5. Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.

      Figure 4 Basic informationBasic information

      Parameter

      Description

      Name

      Enter a name for the custom policy. In this example, AliyunDcdntest is used.

      Description

      Enter a description for the custom policy. This parameter is optional.

    6. Check and optimize the content of the custom policy.

      • Basic optimization

        The system automatically performs basic optimization on the policy statement. The system performs the following operations during basic optimization:

        • Deletes unnecessary conditions.

        • Deletes unnecessary arrays.

      • Optional: Advanced optimization

        You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during advanced optimization:

        • Splits resources or conditions that are incompatible with actions.

        • Reduces the number of resources.

        • Deduplicates or merges policy statements.

    7. Click OK.

  2. Grant the required permissions to the RAM user that you use.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

      1
    4. In the Add Permissions panel, configure the required parameters.

      Add permissions 01

      Parameter

      Description

      Authorized Scope

      Select Alibaba Cloud Account.

      Note

      If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.

      Principal

      The current RAM user is automatically selected.

      Select Policy

      Click Custom Policy. Enter the name of the custom policy that you created in Step 1. In this example, the name of the custom policy is AliyunDcdntest. After the system displays the custom policy, click the name of the custom policy to add the policy to the Selected list.

    5. Click OK.

    6. Click Complete.

Example 4: Attach a custom policy to a RAM user (excluding service activation and configuration modification)

  1. Create a custom policy.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the JSON tab and configure a custom policy.

      JSON

      The following code block shows the content of the custom policy:

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "dcdn:*",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "dcdn:ModifyDcdnService",
                      "dcdn:OpenDcdnService"
                  ],
                  "Resource": "*",
                  "Effect": "Deny"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "logdelivery.dcdn.aliyuncs.com"
                          ]
                      }
                  }
              }
          ]
      }
    5. Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.

      Figure 5 Basic informationBasic information

      Parameter

      Description

      Name

      Enter a name for the custom policy. In this example, AliyunDcdntest is used.

      Description

      Enter a description for the custom policy. This parameter is optional.

    6. Check and optimize the content of the custom policy.

      • Basic optimization

        The system automatically performs basic optimization on the policy statement. The system performs the following operations during basic optimization:

        • Deletes unnecessary conditions.

        • Deletes unnecessary arrays.

      • Optional: Advanced optimization

        You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during advanced optimization:

        • Splits resources or conditions that are incompatible with actions.

        • Reduces the number of resources.

        • Deduplicates or merges policy statements.

    7. Click OK.

  2. Grant the required permissions to the RAM user that you use.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

      1
    4. In the Add Permissions panel, configure the required parameters.

      Add permissions 01

      Parameter

      Description

      Authorized Scope

      Select Alibaba Cloud Account.

      Note

      If you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.

      Principal

      The current RAM user is automatically selected.

      Select Policy

      Click Custom Policy. Enter the name of the custom policy that you created in Step 1. In this example, the name of the custom policy is AliyunDcdntest. After the system displays the custom policy, click the name of the custom policy to add the policy to the Selected list.

    5. Click OK.

    6. Click Complete.