Use RAM to give a subaccount access to its primary account’s CDN resources.
- When an Alibaba Cloud account activates the CDN service and creates CDN domains, all services and CDN domains are held as resources of this account. By default, accounts have full operation permissions on their resources.
- Alibaba Cloud Resource Access Management (RAM) allows you to grant RAM sub-users the permission to access and manage the resources under your Alibaba Cloud account.
- Make sure that you have read the RAM product documentation and API documentation carefully before learning how to use RAM to grant access to CDN resources.
- If you do not need RAM, skip this section.
CDN authorizable resource type in RAM
Currently, authorizable resource type and description methods in RAM are set out as following table:
| Resource type | Resource descriptions in authorization policy | Description |
|---|---|---|
| service | acs:cdn:*:$accountid:* | Authorizes subaccounts to manage CDN services,such as changing configuration and querying account information. |
| domain | acs:cdn:*:$accountid:domain/$domainNameacs:cdn:*:$accountid:domain/* | Authorizes subaccounts to manage their own CDN domains,such as adding, configuring, and querying domain names. |
CDN API authentication rules when a subaccount requests access to resources of primary CDN account
When a subaccount requests access to resources of primary CDN account through CDN Open APIs, CDN backend sends one corresponding request to RAM to check authority granting, in order to ensure that the resource owner grants the caller access right to relevant resources.
Each different CDN API determines authority of relevant resources according to the involved resources and the semantics of the API. Authentication rules for each API are listed as follows:
| API | Authentication rules |
|---|---|
| OpenCdnService | acs:cdn:*:$accountid:* |
| Describecdnservice | acs:cdn:*:$accountid:* |
| ModifyCdnService | acs:cdn:*:$accountid:* |
| DescribeUserDomains | acs:cdn::$accountid:domain/ |
| DescribeCdnDomainDetail | acs:cdn:*:$accountid:domain/$domainName |
| AddCdnDomain | acs:cdn::$accountid:domain/ |
| StartCdnDomain | acs:cdn:*:$accountid:domain/$domainName |
| StopCdnDomain | acs:cdn:*:$accountid:domain/$domainName |
| DeleteCdnDomain | acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainConfigs | acs:cdn:*:$accountid:domain/$domainName |
| SetOptimizeConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetPageCompressConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetIgnoreQueryStringConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetRangeConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetVideoSeekConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetSourceHostConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetErrorPageConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetForceRedirectConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetRefererConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetFileCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetPathCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| ModifyFileCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| ModifyPathCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| DeleteCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetReqAuthConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetHttpHeaderConfig | acs:cdn:*:$accountid:domain/$domainName |
| ModifyHttpHeaderConfig | acs:cdn:*:$accountid:domain/$domainName |
| Deletehttpheaderconfig | acs:cdn:*:$accountid:domain/$domainName |
| RefreshObjectCaches | acs:cdn::$accountid:domain/ |
| PushObjectCache | acs:cdn::$accountid:domain/ |
| DescribeRefreshTasks | acs:cdn::$accountid:domain/ |
| DescribeRefreshQuota | acs:cdn::$accountid:domain/ |
| DescribeLiveStreamsPublishList | acs:cdn:*:$accountid:domain/$domainName |
| DescribeLiveStreamsOnlineList | acs:cdn:*:$accountid:domain/$domainName |
| DescribeLiveStreamsBlockList | ACS: CDN: *: $ accounts: domain/$ domainname |
| DescribeLiveStreamsControlHistory | acs:cdn:*:$accountid:domain/$domainName |
| Describelivestreamonlineusernum | acs:cdn:*:$accountid:domain/$domainName |
| ForbidLiveStream | acs:cdn:*:$accountid:domain/$domainName |
| ResumeLiveStream | acs:cdn:*:$accountid:domain/$domainName |
| SetLiveStreamsNotifyUrlConfig | acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainBpsData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainFlowData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainSrcBpsData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainSrcFlowData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainHitRateData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainQpsData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainHttpCodeData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainsUsageByDay | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeTopDomainsByFlow | acs:cdn::$accountid:domain/ |
| DescribeDomainPvData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainUvData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainRegionData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainISPData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainTopUrlVisit | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainTopReferVisitl | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainFileSizeProportionData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainCCData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainWafData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| Describecdndomainlogs | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeIpInfo | acs:cdn::$accountid:domain/ |