Document Center
edit-icon download-icon

Sub-account console operating instructions

Last Updated: Apr 13, 2018

You can grant related permissions for sub-accounts through accessing Alibaba Cloud Resource Access Management (RAM) to enable the sub-accounts to use the MPS console within the authorized scope.

Permissions of the sub-account mainly include authorization to use MPS and the permissions to OSS, CDN, and MNS resource objects. After planning the resource instances of the sub-account with these services, you can create authorization policies based on corresponding authorization templates and grant the permissions to the sub-account.

The following variables are used in the resource authorization policies of each service. Replace them with the actual resource instance name.

Description of variables

  • $Uid: Cloud account ID. You can query it by logging on to the console and clicking Account Management > Security Settings.

    2

  • $Region: Service region. For more information, see service region.

  • $InputBucket: MPS InputBucket.

  • $OutputBucket: MPS Output Bucket.

  • $QueueName: MNS queue name.

  • $TopicName: MNS notification topic.

  • $DomainName: CDN domain name.

Authorization policy creation descriptions

Log on to the RAM console > Policies, and create the following example custom authorization policies for the specified resource instance and grant them to the specified sub-account.

2

2

2

Note: Copy the authorization policies of each service of the examples in this document, and replace the variables with the corresponding service instance name.

2

2

After the authorization policies are created for various service resource objects, you can grant the permissions to corresponding sub-accounts. See the permission granting instructions of MPS.

MPS

You can directly use the built-inAliyunMTSFullAccessauthorization policy.

Permission description:

  1. Permission granted to a sub-account to use MTS

Log on to the RAM console > Users, and grant theAliyunMTSFullAccesspermission to the specified sub-account.

2

2

OSS authorization policy

Permission description:

  1. Permission for all operations on the specified input and output buckets
  2. Permission to view the bucket list
  1. {
  2.   "Version": "1",
  3.   "Statement": [
  4.     {
  5.       "Action": [
  6.         "oss:*"
  7.       ],
  8.       "Resource": [
  9.         "acs:oss:*:*:$InputBucket",
  10.         "acs:oss:*:*:$InputBucket/*",
  11.         "acs:oss:*:*:$OutputBucket",
  12.         "acs:oss:*:*:$OutputBucket/*"
  13.       ],
  14.       "Effect": "Allow"
  15.     },
  16.     {
  17.       "Action": [
  18.         "oss:ListBuckets"
  19.       ],
  20.       "Resource": "*",
  21.       "Effect": "Allow"
  22.     }
  23.   ]
  24. }

MNS authorization policy

Permission description:

  1. Permission for all operations on the specified query and topic
  2. Permission to query the query and topic
  1. {
  2.   "Version": "1",
  3.   "Statement": [
  4.     {
  5.       "Action": [
  6.         "mns:*"
  7.       ],
  8.       "Resource": [
  9.         "acs:mns:$Region:$Uid:/queues/$QueueName",
  10.         "acs:mns:$Region:$Uid:/topics/$TopicName",
  11.         ],
  12.       "Effect": "Allow"
  13.     },
  14.     {
  15.       "Action": [
  16.         "mns:Get*",
  17.         "mns:List*"
  18.       ],
  19.       "Resource": "*",
  20.       "Effect": "Allow"
  21.     }
  22.   ]
  23. }

CDN authorization policy

Permission description:

  1. Permission for all operations on the specified CDN domain name
  2. Permission to query the CDN domain name
  1. {
  2.   "Version": "1",
  3.   "Statement": [
  4.     {
  5.       "Action": "cdn:*",
  6.       "Resource": [
  7.         "acs:cdn:*:$Uid:domain/$DomainName"
  8.       ],
  9.       "Effect": "Allow"
  10.     },
  11.     {
  12.       "Action": "cdn:Describe*",
  13.       "Resource": "*",
  14.       "Effect": "Allow"
  15.     }
  16.   ]
  17. }
Thank you! We've received your feedback.
Free Trial Free Trial