By default, Resource Access Management (RAM) users do not have permissions to enable or manage the log storage feature of Dynamic Route for CDN (DCDN). If you want to allow RAM users to enable or manage log storage, you must grant them the required permissions. You can do this using permission policies, which allow you to regulate access control.

Background information

  • RAM is an identity management and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other entities. You can use RAM to implement access control on your Alibaba Cloud resources.
  • You can grant permissions on log storage only to Alibaba Cloud accounts or RAM users. Role-based access control cannot be used to grant permissions on log storage. For more information, see AssumeRole.

Scenarios

In this topic, a permission policy is used to grant a RAM user full permissions on log storage. The permission policy allows the RAM user to enable, manage, query, modify, and disable log storage.
Note Due to the complex inter-service relationships that are associated with the APIs used to manage log storage, Alibaba Cloud does not provide public-facing access to these APIs. We recommend that you manage log storage through the DCDN console.

Step 1: Create a custom policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Click the JSON tab and enter the following policy document:
    Figure 1. JSON
    Create a custom policy
    Grant full permissions on log storage to a RAM user. This way, the RAM user can enable, manage, query, modify, and disable log storage. The following code block shows the document of a custom policy:
    Note You can grant permissions on all or part of the permissions available to RAM users.
    {
        "Statement": [
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "acs:ram:*:*:role/*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "logdelivery.cdn.aliyuncs.com"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cdn:DescribeUserDomains",
                    "cdn:CreateCdnDomainOfflineLogDelivery",
                    "cdn:DescribeCdnOfflineLogDeliveryStatus",
                    "cdn:DescribeCdnOfflineLogDelivery",
                    "cdn:DescribeCdnOfflineLogDeliveryField",
                    "cdn:DescribeCdnOfflineLogDeliveryRegions",
                    "cdn:DisableCdnDomainOfflineLogDelivery",
                    "cdn:DisableCdnOfflineLogDelivery",
                    "cdn:EnableCdnDomainOfflineLogDelivery"
                ],
                "Resource": "acs:cdn:*:*:*"
            }
        ],
        "Version": "1"
    }
    The following table describes the API operations that can be defined in a custom policy.
    API Required Description Description
    DescribeUserDomains Yes Queries all domain names that are added to Alibaba Cloud CDN. If you grant permissions on this API operation to a RAM user, the RAM user can query all domain names that are added to Alibaba Cloud CDN and configure log storage for these domain names.
    CreateCdnDomainOfflineLogDelivery No Enables log storage. If you grant permissions on this API operation to a RAM user, the RAM user can enable log storage.
    DescribeCdnOfflineLogDeliveryStatus Yes Queries whether log storage is enabled. If you grant permissions on this API operation to a RAM user, the RAM user can query whether log storage is enabled.
    DescribeCdnOfflineLogDelivery Yes Queries domain names that have log storage enabled. If you grant permissions on this API operation to a RAM user, the RAM user can query domain names that have log storage enabled.
    DescribeCdnOfflineLogDeliveryField Yes Queries fields that are supported by log storage. If you grant permissions on this API operation to a RAM user, the RAM user can query fields that are supported by log storage.
    DescribeCdnOfflineLogDeliveryRegions Yes Queries regions in which log storage is available. None
    DisableCdnDomainOfflineLogDelivery No Disables domain names that have log storage enabled. If you grant permissions on this API operation to a RAM user, the RAM user can disable domain names that have log storage enabled. Proceed with caution.
    EnableCdnDomainOfflineLogDelivery No Creates a log storage task for a domain name. If you grant permissions on this API operation to a RAM user, the RAM user can create a log storage task for a domain name. Proceed with caution.
    DisableCdnOfflineLogDelivery No Disables log storage. If you grant permissions on this API operation to a RAM user, the RAM user can disable log storage. Proceed with caution. Log storage must be enabled and configured again if RAM users want to use log storage after log storage is disabled.
  5. Click Next: Edit Basic Information. On the page that appears, configure the Name and Note parameters for the policy.
    Figure 2. Basic Information
    Name and Note
    Parameter Description
    Name Enter an informative name that can help you identify the custom policy.
    Note Enter a description for the custom policy. This parameter is optional.
  6. Check and optimize the document of the custom policy.
    • Basic optimization

      The system performs basic optimization on the policy statement. The system performs the following operations during the basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional: Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  7. Click OK.

Step 2: Attach the policy to the RAM user

  1. Log on to the RAM console.
  2. Create a RAM user.
    Note If you have created a RAM user, skip this step.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  5. In the Add Permissions panel, configure the required parameters.
    Figure 3. Add permissions
    Add permissions
    Parameter Description
    Authorized Scope Select Alibaba Cloud Account. This specifies that the policy is applied for all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
    Principal The current RAM user is selected by default.
    Select Policy Select Custom Policy, and click the name of the custom policy created in Step 1: Create a custom policy. The custom policy is then added to the right-side Selected list.
    Note If you want to allow the RAM user to enable log storage, attach the AliyunDLAFullAccess permission policy to the RAM user. If this permission policy is not attached, the RAM user is unable to enable log storage.
  6. Click OK.
  7. Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user