edit-icon download-icon

DNS API authentication rules

Last Updated: Nov 27, 2017

When a RAM user requests access to the DNS resources of the primary account by using the DNS APIs, the DNS backend sends a request to RAM to perform the request authentication. This authentication ensures that the resource owner indeed has granted access to these resources to the caller.

For each DNS API, the resources need to be checked are determined by the involved resources and the semantics of the API. The following table describes the authentication rules for each DNS API.

Action (normally an API name) Authentication rules
AddDomain acs:alidns::$accountid:domain/
DeleteDomain acs:alidns:*:$accountid:domain/$domainName
DescribeDomains acs:alidns::$accountid:domain/
DescribeDomainInfo acs:alidns:*:$accountid:domain/$domainName
DescribeDomainWhoisInfo acs:alidns:*:$accountid:domain/$domainName
ModifyHichinaDomainDNS acs:alidns:*:$accountid:domain/$domainName
GetMainDomainName acs:alidns::$accountid:domain/
DescribeDnsProductInstances acs:alidns::$accountid:instance/
ChangeDomainOfDnsProduct acs:alidns::$accountid:instance/$instanceid
acs:alidns:
:$accountid:domain/$domainName (if domainName is imported)
RetrievalDomainName acs:alidns::$accountid:domain/
CheckDomainRecord acs:alidns::$accountid:domain/
AddDomainRecord acs:alidns:*:$accountid:domain/$domainName
DeleteDomainRecord acs:alidns:*:$accountid:domain/$domainName
UpdateDomainRecord acs:alidns:*:$accountid:domain/$domainName
SetDomainRecordStatus acs:alidns:*:$accountid:domain/$domainName
DescribeDomainRecords acs:alidns:*:$accountid:domain/$domainName
DescribeDomainRecordInfo acs:alidns:*:$accountid:domain/$domainName
DescribeSubDomainRecords acs:alidns:*:$accountid:domain/$domainName
DeleteSubDomainRecords acs:alidns:*:$accountid:domain/$domainName
SetDNSSLBStatus acs:alidns:*:$accountid:domain/$domainName
DescribeDNSSLBSubDomains acs:alidns:*:$accountid:domain/$domainName
UpdateDNSSLBWeight acs:alidns:*:$accountid:domain/$domainName
ValidateDomainCanAdd acs:alidns::$accountid:domain/
ScanSubdomainRecords acs:alidns::$accountid:domain/
GetTxtRecordForRetrievalDomainName acs:alidns::$accountid:domain/
VerifyTxtRecordForRetrievalDomainName acs:alidns::$accountid:domain/
ValidateDomainCanBind acs:alidns:*:$accountid:domain/$domainName
DescribeDnsProductInstance acs:alidns:*:$accountid:instance/$instanceid
DescribeDomainNs acs:alidns:*:$accountid:domain/$domainName
DescribeSupportLines acs:alidns::$accountid:
UpdateDomainRecordRemark acs:alidns:*:$accountid:domain/$domainName
Thank you! We've received your feedback.