You can grant related permissions for sub-accounts through accessing Alibaba Cloud Resource Access Management (RAM) to enable the sub-accounts to use the MPS console within the authorized scope.
Permissions of the sub-account mainly include authorization to use MPS and the permissions to OSS, CDN, and MNS resource objects. After planning the resource instances of the sub-account with these services, you can create authorization policies based on corresponding authorization templates and grant the permissions to the sub-account.
The following variables are used in the resource authorization policies of each service. Replace them with the actual resource instance name.
Description of variables
- $Uid: Cloud account ID. You can query it by logging on to the
- $Region: Service region. For more information, see service region.
- $InputBucket: MPS InputBucket.
- $OutputBucket: MPS Output Bucket.
- $QueueName: MNS queue name.
- $TopicName: MNS notification topic.
- $DomainName: CDN domain name.
Authorization policy creation descriptions
Log on to the
, and create the following example custom authorization policies for the specified resource instance and grant them to the specified sub-account.




MPS
You can directly use the built-inAliyunMTSFullAccess
authorization policy.
Permission description: Permission granted to a sub-account to use MTS.
Log on to the AliyunMTSFullAccess
permission to the specified sub-account.


OSS authorization policy
Permission description:
Permission for all operations on the specified input and output buckets.
Permission to view the bucket list.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:$InputBucket",
"acs:oss:*:*:$InputBucket/*",
"acs:oss:*:*:$OutputBucket",
"acs:oss:*:*:$OutputBucket/*"
],
"Effect": "Allow"
},
{
"Action": [
"oss:ListBuckets"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
MNS authorization policy
Permission description:
Permission for all operations on the specified queues and topics.
Permission to query queues and topics.
{
"Version": "1",
"Statement": [
{
"Action": [
"mns:*"
],
"Resource": [
"acs:mns:$Region:$Uid:/queues/$QueueName",
"acs:mns:$Region:$Uid:/topics/$TopicName",
],
"Effect": "Allow"
},
{
"Action": [
"mns:Get*",
"mns:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
CDN authorization policy
Permission description:
Permission for all operations on the specified CDN domain name.
Permission to query the CDN domain name.
{
"Version": "1",
"Statement": [
{
"Action": "cdn:*",
"Resource": [
"acs:cdn:*:$Uid:domain/$DomainName"
],
"Effect": "Allow"
},
{
"Action": "cdn:Describe*",
"Resource": "*",
"Effect": "Allow"
}
]
}