edit-icon download-icon

Sub-account console operating instructions

Last Updated: Apr 13, 2018

You can grant related permissions for sub-accounts through accessing Alibaba Cloud Resource Access Management (RAM) to enable the sub-accounts to use the MPS console within the authorized scope.

Permissions of the sub-account mainly include authorization to use MPS and the permissions to OSS, CDN, and MNS resource objects. After planning the resource instances of the sub-account with these services, you can create authorization policies based on corresponding authorization templates and grant the permissions to the sub-account.

The following variables are used in the resource authorization policies of each service. Replace them with the actual resource instance name.

Description of variables

  • $Uid: Cloud account ID. You can query it by logging on to the console and clicking Account Management > Security Settings.

    2

  • $Region: Service region. For more information, see service region.

  • $InputBucket: MPS InputBucket.

  • $OutputBucket: MPS Output Bucket.

  • $QueueName: MNS queue name.

  • $TopicName: MNS notification topic.

  • $DomainName: CDN domain name.

Authorization policy creation descriptions

Log on to the RAM console > Policies, and create the following example custom authorization policies for the specified resource instance and grant them to the specified sub-account.

2

2

2

Note: Copy the authorization policies of each service of the examples in this document, and replace the variables with the corresponding service instance name.

2

2

After the authorization policies are created for various service resource objects, you can grant the permissions to corresponding sub-accounts. See the permission granting instructions of MPS.

MPS

You can directly use the built-inAliyunMTSFullAccessauthorization policy.

Permission description:

  1. Permission granted to a sub-account to use MTS

Log on to the RAM console > Users, and grant theAliyunMTSFullAccesspermission to the specified sub-account.

2

2

OSS authorization policy

Permission description:

  1. Permission for all operations on the specified input and output buckets
  2. Permission to view the bucket list
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "oss:*"
  7. ],
  8. "Resource": [
  9. "acs:oss:*:*:$InputBucket",
  10. "acs:oss:*:*:$InputBucket/*",
  11. "acs:oss:*:*:$OutputBucket",
  12. "acs:oss:*:*:$OutputBucket/*"
  13. ],
  14. "Effect": "Allow"
  15. },
  16. {
  17. "Action": [
  18. "oss:ListBuckets"
  19. ],
  20. "Resource": "*",
  21. "Effect": "Allow"
  22. }
  23. ]
  24. }

MNS authorization policy

Permission description:

  1. Permission for all operations on the specified query and topic
  2. Permission to query the query and topic
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "mns:*"
  7. ],
  8. "Resource": [
  9. "acs:mns:$Region:$Uid:/queues/$QueueName",
  10. "acs:mns:$Region:$Uid:/topics/$TopicName",
  11. ],
  12. "Effect": "Allow"
  13. },
  14. {
  15. "Action": [
  16. "mns:Get*",
  17. "mns:List*"
  18. ],
  19. "Resource": "*",
  20. "Effect": "Allow"
  21. }
  22. ]
  23. }

CDN authorization policy

Permission description:

  1. Permission for all operations on the specified CDN domain name
  2. Permission to query the CDN domain name
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "cdn:*",
  6. "Resource": [
  7. "acs:cdn:*:$Uid:domain/$DomainName"
  8. ],
  9. "Effect": "Allow"
  10. },
  11. {
  12. "Action": "cdn:Describe*",
  13. "Resource": "*",
  14. "Effect": "Allow"
  15. }
  16. ]
  17. }
Thank you! We've received your feedback.