Grant a RAM user permissions on log storage - CDN - Alibaba Cloud Documentation Center

By default, Resource Access Management (RAM) users do not have permissions to enable or manage the log storage feature of Dynamic Route for CDN (DCDN). If you want to allow RAM users to enable or manage log storage, you must grant them the required permissions. You can do this using permission policies, which allow you to regulate access control.

Background information

RAM is an identity management and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other entities. You can use RAM to implement access control on your Alibaba Cloud resources.
You can grant permissions on log storage only to Alibaba Cloud accounts or RAM users. Role-based access control cannot be used to grant permissions on log storage. For more information, see AssumeRole.

Scenarios

In this topic, a permission policy is used to grant a RAM user full permissions on log storage. The permission policy allows the RAM user to enable, manage, query, modify, and disable log storage.

Note Due to the complex inter-service relationships that are associated with the APIs used to manage log storage, Alibaba Cloud does not provide public-facing access to these APIs. We recommend that you manage log storage through the DCDN console.

Step 1: Create a custom policy

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

Click the JSON tab and enter the following policy document:

Grant full permissions on log storage to a RAM user. This way, the RAM user can enable, manage, query, modify, and disable log storage. The following code block shows the document of a custom policy:

Note You can grant permissions on all or part of the permissions available to RAM users.

{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:*:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "logdelivery.cdn.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cdn:DescribeUserDomains",
                "cdn:CreateCdnDomainOfflineLogDelivery",
                "cdn:DescribeCdnOfflineLogDeliveryStatus",
                "cdn:DescribeCdnOfflineLogDelivery",
                "cdn:DescribeCdnOfflineLogDeliveryField",
                "cdn:DescribeCdnOfflineLogDeliveryRegions",
                "cdn:DisableCdnDomainOfflineLogDelivery",
                "cdn:DisableCdnOfflineLogDelivery",
                "cdn:EnableCdnDomainOfflineLogDelivery"
            ],
            "Resource": "acs:cdn:*:*:*"
        }
    ],
    "Version": "1"
}

The following table describes the API operations that can be defined in a custom policy.


API	Required	Purpose	Description
DescribeUserDomains	Yes	Queries all domain names that are added to Alibaba Cloud CDN.	If you grant permissions on this API operation to a RAM user, the RAM user can query all domain names that are added to Alibaba Cloud CDN and configure log storage for these domain names.
CreateCdnDomainOfflineLogDelivery	No	Enables log storage.	If you grant permissions on this API operation to a RAM user, the RAM user can enable log storage.
DescribeCdnOfflineLogDeliveryStatus	Yes	Queries whether log storage is enabled.	If you grant permissions on this API operation to a RAM user, the RAM user can query whether log storage is enabled.
DescribeCdnOfflineLogDelivery	Yes	Queries domain names that have log storage enabled.	If you grant permissions on this API operation to a RAM user, the RAM user can query domain names that have log storage enabled.
DescribeCdnOfflineLogDeliveryField	Yes	Queries fields that are supported by log storage.	If you grant permissions on this API operation to a RAM user, the RAM user can query fields that are supported by log storage.
DescribeCdnOfflineLogDeliveryRegions	Yes	Queries regions in which log storage is available.	None.
DisableCdnDomainOfflineLogDelivery	No	Disables domain names that have log storage enabled.	If you grant permissions on this API operation to a RAM user, the RAM user can disable domain names that have log storage enabled. Proceed with caution.
EnableCdnDomainOfflineLogDelivery	No	Creates a log storage task for a domain name.	If you grant permissions on this API operation to a RAM user, the RAM user can create a log storage task for a domain name. Proceed with caution.
DisableCdnOfflineLogDelivery	No	Disables log storage.	If you grant permissions on this API operation to a RAM user, the RAM user can disable log storage. Proceed with caution. Log storage must be enabled and configured again if RAM users want to use log storage after log storage is disabled.

Enter the policy document and click Next to edit policy information.
For more information about the syntax and structure of policies, see Policy structure and syntax.
Specify the Name and Description fields.
Check and optimize the document of the custom policy.
- Basic optimization
  The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
  - Deletes unnecessary conditions.
  - Deletes unnecessary arrays.
- Optional:Advanced optimization
  You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
  - Splits resources or conditions that are incompatible with actions.
  - Narrows down resources.
  - Deduplicates or merges policy statements.
Click OK.

Step 2: Attach the policy to the RAM user

Log on to the RAM console.
Create a RAM user.
Note If you have created a RAM user, skip this step.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, configure the required parameters.


Parameter	Description
Authorized Scope	Select Alibaba Cloud Account. This specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
Principal	By default, the current RAM user is selected.
Select Policy	Select Custom Policy and click the name of the custom policy created in Step 1: Create a custom policy to add it to the Selected section. Note If you want to allow the RAM user to enable log storage, attach the AliyunDLAFullAccess permission policy to the RAM user. If this permission policy is not attached, the RAM user is unable to enable log storage.

Click OK.
Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user