All Products
Search

This Product

    CDN:RAM authorization

    Document Center

    CDN:RAM authorization

    Last Updated:Mar 28, 2024
    Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
    This topic describes the elements, such as Action, Resource, and Condition, which are defined by CDN. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate CDN is cdn. You can grant permissions on CDN at the RESOURCE.

    General structure of a policy

    Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
    The following list describes the fields in the policy:
    • Effect: specifies the authorization effect. Valid values: Allow, Deny.
    • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
    • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
    • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
      • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
      • Condition_key: specifies the condition keys.
      • Condition_value: specifies the condition values.

    Action

    CDN defines the values that you can use in the Action element of a policy statement. The following table describes the values.
    • Operation: the value that you can use in the Action element to specify the operation on a resource.
    • API operation: the API operation that you can call to perform the operation.
    • Access level: the access level of each operation. The levels are read, write, and list.
    • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
      • The required resource types are displayed in bold characters.
      • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
    • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
    • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
    ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
    cdn:AddCdnDomainAddCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:AddFCTriggerAddFCTriggerWrite
    All Resources
    *
    		NoneNone
    cdn:BatchAddCdnDomainBatchAddCdnDomainWrite
    All Resources
    *
    		NoneNone
    cdn:BatchDeleteCdnDomainConfigBatchDeleteCdnDomainConfigWrite
    All Resources
    *
    		NoneNone
    cdn:BatchSetCdnDomainConfigBatchSetCdnDomainConfigWrite
    All Resources
    *
    		NoneNone
    cdn:BatchSetCdnDomainServerCertificateBatchSetCdnDomainServerCertificateWrite
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:BatchStartCdnDomainBatchStartCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:BatchStopCdnDomainBatchStopCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:BatchUpdateCdnDomainBatchUpdateCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:CreateCdnCertificateSigningRequestCreateCdnCertificateSigningRequestWrite
    All Resources
    *
    		NoneNone
    cdn:CreateCdnDeliverTaskCreateCdnDeliverTaskRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:CreateCdnSubTaskCreateCdnSubTaskRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:CreateRealTimeLogDeliveryCreateRealTimeLogDeliveryWrite
    All Resources
    *
    		NoneNone
    cdn:CreateUsageDetailDataExportTaskCreateUsageDetailDataExportTaskWrite
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:CreateUserUsageDataExportTaskCreateUserUsageDataExportTaskWrite
    All Resources
    *
    		NoneNone
    cdn:DeleteCdnDeliverTaskDeleteCdnDeliverTaskRead
    All Resources
    *
    		NoneNone
    cdn:DeleteCdnDomainDeleteCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DeleteCdnSubTaskDeleteCdnSubTaskRead
    All Resources
    *
    		NoneNone
    cdn:DeleteFCTriggerDeleteFCTriggerWrite
    All Resources
    *
    		NoneNone
    cdn:DeleteRealTimeLogLogstoreDeleteRealTimeLogLogstoreRead
    All Resources
    *
    		NoneNone
    cdn:DeleteRealtimeLogDeliveryDeleteRealtimeLogDeliveryWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DeleteSpecificConfigDeleteSpecificConfigWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DeleteSpecificStagingConfigDeleteSpecificStagingConfigWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DeleteUsageDetailDataExportTaskDeleteUsageDetailDataExportTaskWrite
    All Resources
    *
    		NoneNone
    cdn:DeleteUserUsageDataExportTaskDeleteUserUsageDataExportTaskWrite
    All Resources
    *
    		NoneNone
    cdn:DescribeBlockedRegionsDescribeBlockedRegionsRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnCertificateDetailDescribeCdnCertificateDetailRead
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:DescribeCdnCertificateListDescribeCdnCertificateListRead
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:DescribeCdnDeletedDomainsDescribeCdnDeletedDomainsRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnDeliverListDescribeCdnDeliverListRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnDomainByCertificateDescribeCdnDomainByCertificateRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnDomainConfigsDescribeCdnDomainConfigsRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeCdnDomainDetailDescribeCdnDomainDetailRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeCdnDomainLogsDescribeCdnDomainLogsRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeCdnDomainStagingConfigDescribeCdnDomainStagingConfigRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeCdnHttpsDomainListDescribeCdnHttpsDomainListRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnOrderCommodityCodeDescribeCdnOrderCommodityCodeRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnReportDescribeCdnReportRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeCdnReportListDescribeCdnReportListRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnSMCertificateListDescribeCdnSMCertificateListRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnServiceDescribeCdnServiceRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnSubListDescribeCdnSubListRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnUserBillHistoryDescribeCdnUserBillHistoryRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnUserBillPredictionDescribeCdnUserBillPredictionRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnUserConfigsDescribeCdnUserConfigsRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnUserDomainsByFuncDescribeCdnUserDomainsByFuncRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnUserQuotaDescribeCdnUserQuotaRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCdnUserResourcePackageDescribeCdnUserResourcePackageRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCertificateInfoByIDDescribeCertificateInfoByIDRead
    All Resources
    *
    		NoneNone
    cdn:DescribeCustomLogConfigDescribeCustomLogConfigRead
    All Resources
    *
    		NoneNone
    cdn:DescribeDomainBpsDataDescribeDomainBpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainBpsDataByLayerDescribeDomainBpsDataByLayerRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainBpsDataByTimeStampDescribeDomainBpsDataByTimeStampRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainCcActivityLogDescribeDomainCcActivityLogRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainCertificateInfoDescribeDomainCertificateInfoRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainCustomLogConfigDescribeDomainCustomLogConfigRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#domainId}
    		NoneNone
    cdn:DescribeDomainDetailDataByLayerDescribeDomainDetailDataByLayerRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainHitRateDataDescribeDomainHitRateDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainHttpCodeDataDescribeDomainHttpCodeDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainHttpCodeDataByLayerDescribeDomainHttpCodeDataByLayerRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainPathDataDescribeDomainPathDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainQpsDataDescribeDomainQpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainQpsDataByLayerDescribeDomainQpsDataByLayerRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeBpsDataDescribeDomainRealTimeBpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeByteHitRateDataDescribeDomainRealTimeByteHitRateDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeHttpCodeDataDescribeDomainRealTimeHttpCodeDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeQpsDataDescribeDomainRealTimeQpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeReqHitRateDataDescribeDomainRealTimeReqHitRateDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeSrcBpsDataDescribeDomainRealTimeSrcBpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeSrcHttpCodeDataDescribeDomainRealTimeSrcHttpCodeDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeSrcTrafficDataDescribeDomainRealTimeSrcTrafficDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealTimeTrafficDataDescribeDomainRealTimeTrafficDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainRealtimeLogDeliveryDescribeDomainRealtimeLogDeliveryRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainReqHitRateDataDescribeDomainReqHitRateDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainSrcBpsDataDescribeDomainSrcBpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainSrcHttpCodeDataDescribeDomainSrcHttpCodeDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainSrcQpsDataDescribeDomainSrcQpsDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainSrcTrafficDataDescribeDomainSrcTrafficDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainTrafficDataDescribeDomainTrafficDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainUsageDataDescribeDomainUsageDataRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeDomainsBySourceDescribeDomainsBySourceRead
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:DescribeDomainsUsageByDayDescribeDomainsUsageByDayRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeEsExceptionDataDescribeEsExceptionDataRead
    All Resources
    *
    		NoneNone
    cdn:DescribeEsExecuteDataDescribeEsExecuteDataRead
    All Resources
    *
    		NoneNone
    cdn:DescribeFCTriggerDescribeFCTriggerRead
    All Resources
    *
    		NoneNone
    cdn:DescribeIpStatusDescribeIpStatusRead
    All Resources
    *
    		NoneNone
    cdn:DescribeL2VipsByDomainDescribeL2VipsByDomainRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeRangeDataByLocateAndIspServiceDescribeRangeDataByLocateAndIspServiceRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeRealtimeDeliveryAccDescribeRealtimeDeliveryAccRead
    All Resources
    *
    		NoneNone
    cdn:DescribeRefreshQuotaDescribeRefreshQuotaRead
    All Resources
    *
    		NoneNone
    cdn:DescribeRefreshTaskByIdDescribeRefreshTaskByIdRead
    All Resources
    *
    		NoneNone
    cdn:DescribeRefreshTasksDescribeRefreshTasksRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeStagingIpDescribeStagingIpRead
    All Resources
    *
    		NoneNone
    cdn:DescribeTagResourcesDescribeTagResourcesRead
    All Resources
    *
    		NoneNone
    cdn:DescribeUserCertificateExpireCountDescribeUserCertificateExpireCountRead
    All Resources
    *
    		NoneNone
    cdn:DescribeUserDomainsDescribeUserDomainsRead
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:DescribeUserTagsDescribeUserTagsRead
    All Resources
    *
    		NoneNone
    cdn:DescribeUserUsageDataExportTaskDescribeUserUsageDataExportTaskRead
    All Resources
    *
    		NoneNone
    cdn:DescribeUserUsageDetailDataExportTaskDescribeUserUsageDetailDataExportTaskRead
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:DescribeUserVipsByDomainDescribeUserVipsByDomainRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:DescribeVerifyContentDescribeVerifyContentRead
    All Resources
    *
    		NoneNone
    cdn:DisableRealtimeLogDeliveryDisableRealtimeLogDeliveryWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:EnableRealtimeLogDeliveryEnableRealtimeLogDeliveryWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:ListDomainsByLogConfigIdListDomainsByLogConfigIdList
    All Resources
    *
    		NoneNone
    cdn:ListFCTriggerListFCTriggerList
    All Resources
    *
    		NoneNone
    cdn:ListRealtimeLogDeliveryInfosListRealtimeLogDeliveryInfosRead
    All Resources
    *
    		NoneNone
    cdn:ListUserCustomLogConfigListUserCustomLogConfigList
    All Resources
    *
    		NoneNone
    cdn:ModifyCdnDomainModifyCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:ModifyCdnDomainSchdmByPropertyModifyCdnDomainSchdmByPropertyWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:ModifyRealtimeLogDeliveryModifyRealtimeLogDeliveryWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:PublishStagingConfigToProductionPublishStagingConfigToProductionWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:PushObjectCachePushObjectCacheWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:RefreshObjectCachesRefreshObjectCachesWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:RollbackStagingConfigRollbackStagingConfigWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:SetCdnDomainCSRCertificateSetCdnDomainCSRCertificateWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:SetCdnDomainSMCertificateSetCdnDomainSMCertificateRead
    All Resources
    *
    		NoneNone
    cdn:SetCdnDomainStagingConfigSetCdnDomainStagingConfigWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:SetDomainServerCertificateSetDomainServerCertificateWrite
    Domain
    acs:cdn:*:{#accountId}:domain/*
    		NoneNone
    cdn:SetWaitingRoomConfigSetWaitingRoomConfigWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:StartCdnDomainStartCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:StopCdnDomainStopCdnDomainWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:TagResourcesTagResourcesWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:UntagResourcesUntagResourcesWrite
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:UpdateCdnDeliverTaskUpdateCdnDeliverTaskRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:UpdateCdnSubTaskUpdateCdnSubTaskRead
    Domain
    acs:cdn:*:{#accountId}:domain/{#DomainName}
    		NoneNone
    cdn:UpdateFCTriggerUpdateFCTriggerWrite
    All Resources
    *
    		NoneNone
    cdn:VerifyDomainOwnerVerifyDomainOwnerRead
    All Resources
    *
    		NoneNone

    Resource

    CDN defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
    • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
    • An asterisk (*) is used as a wildcard. Examples:
      • {#resourceType} is set to *, all resources are specified.
      • {#regionId} is set to *, all regions are specified.
      • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
    Resource typeARN
    Domainacs:{#ramcode}:*:{#accountId}:domain/{#DomainName}

    Condition

    CDN does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Generic Condition Keyword.

    What to do next

    You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: