By default, new Resource Access Management (RAM) users do not have permissions to activate Alibaba Cloud Dynamic Content Delivery Network (DCDN) or change the metering method of DCDN. If you want to activate DCDN or change the metering method of DCDN, you need to log on to the RAM console and grant permissions to the RAM users.
Prerequisites
A RAM user is created. If you have not created a RAM user, follow the instructions provided in Create a RAM user to create a RAM user.
Background information
RAM is an Alibaba Cloud service that is used to manage user identities and resource access permissions. RAM supports system and custom policies. You can use system policies to grant full permissions (including service activation and configuration modification) on DCDN to RAM users. You can use custom policies to grant RAM users the permissions to activate DCDN or modify configurations, or the permissions to activate DCDN and modify configurations.
System policies
System policies are configured and provided by Alibaba Cloud. You cannot modify system policies. A system policy grants full permissions (including service activation and configuration modification) on DCDN to RAM users. Only a few steps are required to grant permissions to RAM users by using system policies.
Custom policies
You can create or modify custom policies to implement fine-grained permission control. For example, you can use custom policies to grant RAM users the permissions to activate DCDN or modify configurations, or the permissions to activate DCDN and modify configurations.
Permission scopes
The following table describes the scopes of the permissions that you can grant to a RAM user. For example, you can grant a RAM user the permissions to activate DCDN or modify configurations.
In this topic, configuration modification refers to the change of the metering method.
Permission | Description | References |
Full permissions (including service activation and configuration modification) | Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings, activate DCDN, and change the metering method. | |
Full permissions (excluding service activation) | Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and change the metering method. The permissions to activate DCDN are excluded. | |
Full permissions (excluding configuration modification) | Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings and activate DCDN. The permissions to change the metering method are excluded. | |
Only service activation permissions | Only the permissions to activate DCDN. | |
Only configuration modification permissions | Only the permissions to change the metering method. | |
Only service activation and configuration modification permissions | Only the permissions to activate DCDN and change the metering method. | |
Full permissions (excluding service activation and configuration modification) | Full permissions on DCDN, such as the permissions to configure cache policies and back-to-origin settings. The permissions to activate DCDN and change the metering method are excluded. |
Example 1: Attach a system policy to a RAM user (including service activation and configuration modification)
Log on to the RAM console.
In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the required parameters.
In the Authorized Scope section, select Alibaba Cloud Account.
NoteIf you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.
Select System Policy.
Enter DCDN in the search box. All system policies that are related to DCDN are displayed.
Click AliyunDCDNFullAccess to add the policy to the Selected list.
Click OK.
Click Complete.
Example 2: Attach a custom policy to a RAM user (including service activation or configuration modification)
Create a custom policy.
Log on to the RAM console.
In the left-side navigation pane, choose .
Click Create Policy.
Click the JSON tab and configure a custom policy.
The following code block shows the content of the custom policy:
Full permissions (excluding service activation)
{ "Version": "1", "Statement": [ { "Action": "dcdn:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "dcdn:OpenDcdnService" ], "Resource": "*", "Effect": "Deny" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "logdelivery.dcdn.aliyuncs.com" ] } } } ] }
Full permissions (excluding configuration modification)
{ "Version": "1", "Statement": [ { "Action": "dcdn:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "dcdn:ModifyDcdnService" ], "Resource": "*", "Effect": "Deny" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "logdelivery.dcdn.aliyuncs.com" ] } } } ] }
Only service activation permissions
{ "Statement": [ { "Effect": "Allow", "Action": [ "dcdn:OpenDcdnService" ], "Resource": "*" } ], "Version": "1" }
Only configuration modification permissions
{ "Statement": [ { "Effect": "Allow", "Action": [ "dcdn:ModifyDcdnService" ], "Resource": "*" } ], "Version": "1" }
Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Parameter
Description
Name
Enter a name for the custom policy. In this example, AliyunDcdntest is used.
Description
Enter a description for the custom policy. This parameter is optional.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically performs basic optimization on the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
Optional: Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during advanced optimization:
Splits resources or conditions that are incompatible with actions.
Reduces the number of resources.
Deduplicates or merges policy statements.
Click OK.
Grant the required permissions to the RAM user that you use.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the required parameters.
Parameter
Description
Authorized Scope
Select Alibaba Cloud Account.
NoteIf you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.
Principal
The current RAM user is automatically selected.
Select Policy
Click Custom Policy. Enter the name of the custom policy that you created in Step 1. In this example, the name of the custom policy is AliyunDcdntest. After the system displays the custom policy, click the name of the custom policy to add the policy to the Selected list.
Click OK.
Click Complete.
Example 3: Attach a custom policy to a RAM user (only service activation and configuration modification)
Create a custom policy.
Log on to the RAM console.
In the left-side navigation pane, choose .
Click Create Policy.
Click the JSON tab and configure a custom policy.
The following code block shows the content of the custom policy:
{ "Statement": [ { "Effect": "Allow", "Action": [ "dcdn:OpenDcdnService", "dcdn:ModifyDcdnService" ], "Resource": "*" } ], "Version": "1" }
Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Parameter
Description
Name
Enter a name for the custom policy. In this example, AliyunDcdntest is used.
Description
Enter a description for the custom policy. This parameter is optional.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically performs basic optimization on the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
Optional: Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during advanced optimization:
Splits resources or conditions that are incompatible with actions.
Reduces the number of resources.
Deduplicates or merges policy statements.
Click OK.
Grant the required permissions to the RAM user that you use.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the required parameters.
Parameter
Description
Authorized Scope
Select Alibaba Cloud Account.
NoteIf you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.
Principal
The current RAM user is automatically selected.
Select Policy
Click Custom Policy. Enter the name of the custom policy that you created in Step 1. In this example, the name of the custom policy is AliyunDcdntest. After the system displays the custom policy, click the name of the custom policy to add the policy to the Selected list.
Click OK.
Click Complete.
Example 4: Attach a custom policy to a RAM user (excluding service activation and configuration modification)
Create a custom policy.
Log on to the RAM console.
In the left-side navigation pane, choose .
Click Create Policy.
Click the JSON tab and configure a custom policy.
The following code block shows the content of the custom policy:
{ "Version": "1", "Statement": [ { "Action": "dcdn:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "dcdn:ModifyDcdnService", "dcdn:OpenDcdnService" ], "Resource": "*", "Effect": "Deny" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "logdelivery.dcdn.aliyuncs.com" ] } } } ] }
Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Parameter
Description
Name
Enter a name for the custom policy. In this example, AliyunDcdntest is used.
Description
Enter a description for the custom policy. This parameter is optional.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically performs basic optimization on the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
Optional: Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during advanced optimization:
Splits resources or conditions that are incompatible with actions.
Reduces the number of resources.
Deduplicates or merges policy statements.
Click OK.
Grant the required permissions to the RAM user that you use.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, configure the required parameters.
Parameter
Description
Authorized Scope
Select Alibaba Cloud Account.
NoteIf you want to grant a RAM user the permissions to activate DCDN and modify configurations, you must authorize the Alibaba Cloud Account to which the RAM user belongs. If you select Specific Resource Group, the permissions to activate DCDN and modify configurations do not take effect for the RAM user.
Principal
The current RAM user is automatically selected.
Select Policy
Click Custom Policy. Enter the name of the custom policy that you created in Step 1. In this example, the name of the custom policy is AliyunDcdntest. After the system displays the custom policy, click the name of the custom policy to add the policy to the Selected list.
Click OK.
Click Complete.