When a sub-account requests access to main account CDN resources using CDN Open APIs, the CDN backend sends a request to RAM to check access levels, to make sure that the resource owner indeed has granted access to these resources to the caller.
Each CDN API determines the access to which resources needs to be checked according to the involved resources and the semantics of the API. The authentication rules for each API are shown in the following table.
| API | Authentication Rules |
|---|---|
| OpenCdnService | acs:cdn::$accountid: |
| DescribeCdnService | acs:cdn::$accountid: |
| ModifyCdnService | acs:cdn::$accountid: |
| DescribeUserDomains | acs:cdn::$accountid:domain/ |
| DescribeCdnDomainDetail | acs:cdn:*:$accountid:domain/$domainName |
| AddCdnDomain | acs:cdn::$accountid:domain/ |
| StartCdnDomain | acs:cdn:*:$accountid:domain/$domainName |
| StopCdnDomain | acs:cdn:*:$accountid:domain/$domainName |
| DeleteCdnDomain | acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainConfigs | acs:cdn:*:$accountid:domain/$domainName |
| SetOptimizeConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetPageCompressConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetIgnoreQueryStringConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetRangeConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetVideoSeekConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetSourceHostConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetErrorPageConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetForceRedirectConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetRefererConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetFileCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetPathCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| ModifyFileCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| ModifyPathCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| DeleteCacheExpiredConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetReqAuthConfig | acs:cdn:*:$accountid:domain/$domainName |
| SetHttpHeaderConfig | acs:cdn:*:$accountid:domain/$domainName |
| ModifyHttpHeaderConfig | acs:cdn:*:$accountid:domain/$domainName |
| DeleteHttpHeaderConfig | acs:cdn:*:$accountid:domain/$domainName |
| RefreshObjectCaches | acs:cdn::$accountid:domain/ |
| PushObjectCache | acs:cdn::$accountid:domain/ |
| DescribeRefreshTasks | acs:cdn::$accountid:domain/ |
| DescribeRefreshQuota | acs:cdn::$accountid:domain/ |
| DescribeLiveStreamsPublishList | acs:cdn:*:$accountid:domain/$domainName |
| DescribeLiveStreamsOnlineList | acs:cdn:*:$accountid:domain/$domainName |
| DescribeLiveStreamsBlockList | acs:cdn:*:$accountid:domain/$domainName |
| DescribeLiveStreamsControlHistory | acs:cdn:*:$accountid:domain/$domainName |
| DescribeLiveStreamOnlineUserNum | acs:cdn:*:$accountid:domain/$domainName |
| ForbidLiveStream | acs:cdn:*:$accountid:domain/$domainName |
| ResumeLiveStream | acs:cdn:*:$accountid:domain/$domainName |
| SetLiveStreamsNotifyUrlConfig | acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainBpsData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainFlowData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainSrcBpsData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainSrcFlowData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainHitRateData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainQpsData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainHttpCodeData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainsUsageByDay | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeTopDomainsByFlow | acs:cdn::$accountid:domain/ |
| DescribeDomainPvData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainUvData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainRegionData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainISPData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainTopUrlVisit | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainTopReferVisitl | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainFileSizeProportionData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainCCData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeDomainWafData | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeCdnDomainLogs | acs:cdn::$accountid:domain/ acs:cdn:*:$accountid:domain/$domainName |
| DescribeIpInfo | acs:cdn::$accountid:domain/ |