You can grant related permissions for sub-accounts through accessing Alibaba Cloud Resource Access Management (RAM) to enable the sub-accounts to use the MPS console within the authorized scope.

Permissions of the sub-account mainly include authorization to use MPS and the permissions to OSS, CDN, and MNS resource objects. After planning the resource instances of the sub-account with these services, you can create authorization policies based on corresponding authorization templates and grant the permissions to the sub-account.

The following variables are used in the resource authorization policies of each service. Replace them with the actual resource instance name.

Description of variables

  • $Uid: Cloud account ID. You can query it by logging on to theconsole > Account Management > Security Settings.

  • $Region: Service region. For more information, see service region.
  • $InputBucket: MPS InputBucket.
  • $OutputBucket: MPS Output Bucket.
  • $QueueName: MNS queue name.
  • $TopicName: MNS notification topic.
  • $DomainName: CDN domain name.

Authorization policy creation descriptions

Log on to the RAM console > Policies, and create the following example custom authorization policies for the specified resource instance and grant them to the specified sub-account.







Note Copy the authorization policies of each service of the examples in this document, and replace the variables with the corresponding service instance name.




Note After the authorization policies are created for various service resource objects, you can grant the permissions to corresponding sub-accounts. See the permission granting instructions of MPS.

MPS

You can directly use the built-inAliyunMTSFullAccess authorization policy.

Permission description:
Permission granted to a sub-account to use MTS

Log on to the RAM console > Users, and grant the AliyunMTSFullAccess permission to the specified sub-account.





OSS authorization policy

Permission description:

Permission for all operations on the specified input and output buckets
Permission to view the bucket list
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:*"
      ],
      "Resource": [
        "acs:oss:*:*:$InputBucket",
        "acs:oss:*:*:$InputBucket/*",
        "acs:oss:*:*:$OutputBucket",
        "acs:oss:*:*:$OutputBucket/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

MNS authorization policy

Permission description:

Permission for all operations on the specified query and topic
Permission to query the query and topic
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "mns:*"
      ],
      "Resource": [
        "acs:mns:$Region:$Uid:/queues/$QueueName",
        "acs:mns:$Region:$Uid:/topics/$TopicName",
        ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "mns:Get*",
        "mns:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

CDN authorization policy

Permission description:

Permission for all operations on the specified CDN domain name
Permission to query the CDN domain name.
{
  "Version": "1",
  "Statement": [
    {
      "Action": "cdn:*",
      "Resource": [
        "acs:cdn:*:$Uid:domain/$DomainName"
      ],
      "Effect": "Allow"
    },
    {
      "Action": "cdn:Describe*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}