You can use Resource Group to manage Alibaba Cloud CDN (CDN) resources as a collection and apply Resource Access Management (RAM) policies that authorize actions only on resources within a specific group. This lets you enforce the principle of least privilege (PoLP) in your Alibaba Cloud account.
You can scope permissions to a resource group only for supported resource types and actions. For unsupported actions, any resource group scope in a policy is ignored, and permissions must be granted at the account level instead.
How it works
Resource groups organize your resources by project or environment. Once resources are grouped, you can attach a RAM policy to an identity (such as a RAM user, user group, or role) that scopes its permissions exclusively to that group. For more information, see Resource grouping and authorization.
This approach provides two key benefits:
-
Fine-grained access control: Instead of granting account-wide permissions, you can limit an identity's access to only the resources within a specific group. This helps isolate project-specific workloads and reduce the risk of unintended access.
-
Simplified management: When new resources are added to a resource group, RAM identities with permissions scoped to that group automatically gain access. You do not need to update RAM policies each time a new resource is created.
Grant resource group-level permissions to a RAM user
This section demonstrates how to grant a RAM user permission to access only the resources of Alibaba Cloud CDN (CDN) within a specific resource group.
1. Prerequisites
-
Create a resource group and ensure that the target resources are in it. If you need help doing this, see Create a resource group, Add resources to a resource group automatically, and Add resources to a resource group manually.
2. Grant permissions
You can grant resource group-level permissions from either the Resource Management console or the RAM console.
Resource Management console
-
Log on to the Resource Management console.
-
On the Resource Group page, find the target resource group and click Manage Permission in the Actions column.
-
On the Permissions tab, click Grant Permission.
-
In the Grant Permission panel, configure the principal and access policy.
-
Principal: Select a RAM user.
-
Policy: Select a System Policy or a Custom Policy. For more information, see Create a custom permission policy.
-
-
Click Grant permissions.
For more information, see Grant permissions on resource groups to a RAM identity.
RAM console
-
Log on to the RAM console using an Alibaba Cloud account or a RAM administrator account.
-
In the navigation pane on the left, choose . On the Users page, find the target RAM user and click Add Permissions in the Actions column.
-
In the Grant Permission panel, add permissions for the RAM user.
-
Resource Scope: Select Resource Group.
-
Principal: Select an existing RAM user or the RAM user created in the previous step.
-
Policy: Select a System Policy or a Custom Policy. For more information, see Create a custom permission policy.
-
-
Click OK.
For more information, see Grant permissions to a RAM user.
Supported resources
The following resources from Alibaba Cloud CDN (CDN) support resource group-level authorization:
|
Alibaba Cloud service |
Service code |
Resource type |
|
Alibaba Cloud CDN (CDN) |
cdn |
domain : domain name |
To request support for resource types not listed here, submit feedback via Resource Management console.
Unsupported actions
The following actions of Alibaba Cloud CDN (CDN) do not support resource group-level authorization:
|
Action |
Description |
|
cdn:ActivateConfigGroupVersion |
- |
|
cdn:AddConfigGroup |
- |
|
cdn:AddFCTrigger |
Adds a Function Compute trigger. |
|
cdn:AddLivePullStreamInfo |
- |
|
cdn:AdvancePurgeObjectCache |
- |
|
cdn:BatchDescribeCdnIpInfo |
Queries whether one or more IP addresses are assigned to Alibaba Cloud CDN. |
|
cdn:BatchDescribeDomainBackupCname |
- |
|
cdn:BatchDescribeDomainMd5Info |
- |
|
cdn:CdnMigrateRegister |
- |
|
cdn:ChangeCdnDomainToDcdn |
- |
|
cdn:CheckDomainBeiAnExpiration |
- |
|
cdn:CloneConfigGroupVersion |
- |
|
cdn:CreateCdnCertificateSigningRequest |
Creates a certificate signing request (CSR). |
|
cdn:CreateCdnComputeDomain |
- |
|
cdn:CreateCdnbag |
- |
|
cdn:CreateLiveStreamRecordIndexFiles |
- |
|
cdn:CreateUserUsageDataExportTask |
Creates a task to export your resource usage history to a PDF file. |
|
cdn:DeactivateConfigGroupVersion |
- |
|
cdn:DeleteCdnDeliverTask |
Deletes tracking tasks by task ID. |
|
cdn:DeleteCdnSubTask |
The ID of the request. |
|
cdn:DeleteConfigGroup |
- |
|
cdn:DeleteConfigGroupVersion |
- |
|
cdn:DeleteFCTrigger |
Deletes a specified Function Compute trigger. |
|
cdn:DeleteLivePullStreamInfo |
- |
|
cdn:DeleteRealTimeLogLogstore |
Deletes the Logstore that is used by a specified configuration record of real-time log delivery. |
|
cdn:DeleteUsageDetailDataExportTask |
Deletes a task that was used to export usage details. |
|
cdn:DeleteUserUsageDataExportTask |
Deletes a task that was used to export usage history. |
|
cdn:DeleteVersionConfig |
- |
|
cdn:DescribeActiveConfigGroupVersion |
- |
|
cdn:DescribeBlockedRegions |
Queries countries and regions that can be added to the blacklist. |
|
cdn:DescribeCdnCcSignatureArgList |
- |
|
cdn:DescribeCdnCcSignatureObjectList |
- |
|
cdn:DescribeCdnCertificateDetail |
Queries the detailed information about an SSL certificate. |
|
cdn:DescribeCdnCertificateDetailById |
Queries certificate details by certificate ID. |
|
cdn:DescribeCdnComputeUserDomain |
- |
|
cdn:DescribeCdnConditionIPBInfo |
Queries the Internet service provider (ISP), region, and country that are required for advanced conditions. |
|
cdn:DescribeCdnDeletedDomains |
Queries the domain names that are deleted from your account. |
|
cdn:DescribeCdnDeliverList |
Queries one or more tracking tasks of operations reports. |
|
cdn:DescribeCdnDiagnoseReport |
- |
|
cdn:DescribeCdnDomainByCertificate |
Queries accelerated domain names by SSL certificate. |
|
cdn:DescribeCdnFullDomainsBlockIPConfig |
You can call the DescribeCdnFullDomainsBlockIPConfig operation to query the configurations of full blocking. |
|
cdn:DescribeCdnFullDomainsBlockIPHistory |
Queries the blocking history. |
|
cdn:DescribeCdnHttpsDomainList |
Queries the information about SSL certificates that belong to your Alibaba Cloud account. |
|
cdn:DescribeCdnIpCidr |
- |
|
cdn:DescribeCdnMonitorData |
- |
|
cdn:DescribeCdnOrderCommodityCode |
Queries the code of a commodity by account UID. |
|
cdn:DescribeCdnRegionAndIsp |
Queries Internet service providers (ISPs) and regions that are supported by Alibaba Cloud CDN. |
|
cdn:DescribeCdnReportList |
Queries operations reports. |
|
cdn:DescribeCdnSMCertificateDetail |
Queries the details about a ShangMi (SM) certificate. |
|
cdn:DescribeCdnSecFuncInfo |
Queries information about security features of Alibaba Cloud CDN. |
|
cdn:DescribeCdnService |
Queries the status of your Alibaba Cloud CDN service. The information includes the service activation time, the current service status, the current metering method, and the metering method for the next cycle. |
|
cdn:DescribeCdnSubList |
Queries the tracking tasks that you have created. |
|
cdn:DescribeCdnTypes |
Queries the types of domain names. |
|
cdn:DescribeCdnUserAppSecDrop |
- |
|
cdn:DescribeCdnUserBillHistory |
Queries the billing history under your Alibaba Cloud account. |
|
cdn:DescribeCdnUserBillPrediction |
Estimates resource usage of the current month. |
|
cdn:DescribeCdnUserBillType |
Queries information about the metering methods of an account. The maximum time range to query is one month. |
|
cdn:DescribeCdnUserConfigs |
Queries configurations of security features. |
|
cdn:DescribeCdnUserQuota |
Queries the quotas and usage of Alibaba Cloud CDN resources. |
|
cdn:DescribeCdnUserResourcePackage |
Queries the resource plans that you have purchased for Alibaba Cloud CDN. |
|
cdn:DescribeCdnUserSecDrop |
- |
|
cdn:DescribeCertificateInfoByID |
Queries the information about a specific certificate by certificate ID. |
|
cdn:DescribeConfigGroupDetail |
- |
|
cdn:DescribeConfigGroupVersion |
- |
|
cdn:DescribeCustomDomainSampleRate |
- |
|
cdn:DescribeCustomLogConfig |
Queries the details about a custom logging configuration. |
|
cdn:DescribeDomainConfigs |
- |
|
cdn:DescribeDomainISPLocationDetailData |
- |
|
cdn:DescribeDomainMd5Info |
- |
|
cdn:DescribeDomainSrcFlowData |
- |
|
cdn:DescribeDomainVerifyData |
Queries the verification content of an accelerated domain name based on whether the global resource plan is enabled. |
|
cdn:DescribeDomainsBySource |
Queries accelerated domain names by origin server. |
|
cdn:DescribeEsExceptionData |
Queries the execution errors of a script in EdgeScript (ES). |
|
cdn:DescribeEsExecuteData |
Queries the execution status of scripts in EdgeScript (ES). |
|
cdn:DescribeFCTrigger |
Queries a specified Function Compute trigger. |
|
cdn:DescribeGifshowView |
- |
|
cdn:DescribeIpInfo |
Checks whether a specified IP address is the IP address of a CDN point of presence (POP). |
|
cdn:DescribeIpStatus |
Queries the status of IP addresses of points of presence (POPs). The status of an IP address of a POP indicates whether content delivery acceleration is supported by the POP. |
|
cdn:DescribeLiveStreamOnlineUserNum |
- |
|
cdn:DescribeLiveStreamPushData |
- |
|
cdn:DescribeLiveStreamRecordIndexFile |
- |
|
cdn:DescribeLiveStreamRecordIndexFiles |
- |
|
cdn:DescribeLiveStreamSnapshotInfo |
- |
|
cdn:DescribeLiveStreamTranscodeStreamNum |
- |
|
cdn:DescribeLiveStreamsFrameRateAndBitRateData |
- |
|
cdn:DescribeLiveStreamsOnlineList |
- |
|
cdn:DescribePreloadDetailById |
Queries the prefetch details of a task, including the prefetch progress of all resources in the task. Only users who are included in the whitelist can use this operation. You can contact your business manager to apply for the whitelist. |
|
cdn:DescribeRealtimeDeliveryAcc |
Queries the number of real-time log deliveries. |
|
cdn:DescribeRealtimeLogAuthorized |
- |
|
cdn:DescribeRefreshQuota |
DescribeRefreshQuota |
|
cdn:DescribeRefreshTaskById |
Queries the statuses of refresh or prefetch tasks by task ID. |
|
cdn:DescribeRefreshTasks1 |
- |
|
cdn:DescribeSinaUidsBlockData |
- |
|
cdn:DescribeSnMultiLive |
- |
|
cdn:DescribeStagingIp |
Queries node IP addresses in the staging environment. |
|
cdn:DescribeTopDomainsByFlow |
Queries the top N domain names ranked by network traffic. You can query data collected in the last 30 days. |
|
cdn:DescribeUserCdnStatus |
Queries the status of a user. |
|
cdn:DescribeUserCdncomputeStatus |
- |
|
cdn:DescribeUserCertificateExpireCount |
Queries the number of domain names whose SSL certificates are about to expire or have already expired. |
|
cdn:DescribeUserConfigs |
Queries configurations of security features. |
|
cdn:DescribeUserTags |
Queries user tags. |
|
cdn:DescribeUserUsageDataExportTask |
Queries usage export tasks that were created in the last three months. |
|
cdn:DescribeUserUsageDetailDataExportTask |
Queries tasks that were used to export resource usage details of one or more accelerated domain names that belong to your Alibaba Cloud account. Resource usage information is collected every five minutes. |
|
cdn:DescribeVerifyContent |
Queries the ownership verification content of an accelerated domain name. |
|
cdn:DescribeVersionConfig |
- |
|
cdn:DescribeVersionConfigForDiff |
- |
|
cdn:DescribeViewUsedTraf |
- |
|
cdn:ForbidLiveStream |
- |
|
cdn:GenerateCdnDiagnose |
- |
|
cdn:GetCancelPreloadTask |
- |
|
cdn:HttpRequestStagingTest |
- |
|
cdn:HttpRequestTestTool |
- |
|
cdn:ListConfigGroupActivateRecords |
- |
|
cdn:ListConfigGroupVersionDomains |
- |
|
cdn:ListConfigGroupVersions |
- |
|
cdn:ListConfigGroups |
- |
|
cdn:ListDomainsByLogConfigId |
Queries domain names by log configuration ID. |
|
cdn:ListEsTemplateInfo |
- |
|
cdn:ListFCTrigger |
Queries the Function Compute trigger that is set for an Alibaba Cloud CDN event. |
|
cdn:ListRealtimeLogDelivery |
Queries all real-time log delivery tasks within your Alibaba Cloud account. |
|
cdn:ListRealtimeLogDeliveryDomains |
Queries all domain names that are associated with a specific real-time log delivery configuration record. |
|
cdn:ListRealtimeLogDeliveryInfos |
Queries the information about the real-time log delivery feature in a specified region. |
|
cdn:ListUserCustomLogConfig |
Queries all custom log configurations in your account. |
|
cdn:ModifyBlockSinaUids |
- |
|
cdn:ModifyByteUrlBlockData |
- |
|
cdn:ModifyCdnDomainOwner |
Transfer domain names from an Alibaba Cloud account to the current account. |
|
cdn:ModifyCdnService |
Changes the metering method of Alibaba Cloud CDN. |
|
cdn:ModifyConfigGroup |
- |
|
cdn:ModifyConfigGroupVersion |
- |
|
cdn:ModifyCustomDomainSampleRate |
- |
|
cdn:ModifyRefererBlockData |
- |
|
cdn:NotifyDomainBeiAnExpiration |
- |
|
cdn:OpenCdnService |
Activates Alibaba Cloud CDN. You must activate Alibaba Cloud CDN before you can manage domain names in Alibaba Cloud CDN. |
|
cdn:PenaliseDomainBeiAnExpiration |
- |
|
cdn:RefreshObjectCacheByCacheTag |
Refreshes the cache based on cache tags that you configured. |
|
cdn:ResumeLiveStream |
- |
|
cdn:SetCdnDomainSMCertificate |
Enables or disables a ShangMi (SM) certificate for a domain name. |
|
cdn:SetCdnFullDomainsBlockIP |
Blocks or unblocks IP addresses. This setting applies to all domain names in your account. |
|
cdn:SetCdnUserConfig |
- |
|
cdn:SetForceRedirectConfig |
- |
|
cdn:SetHttpHeaderConfig |
- |
|
cdn:SetHttpsOptionConfig |
- |
|
cdn:SetIgnoreQueryStringConfig |
- |
|
cdn:SetIpAllowListConfig |
- |
|
cdn:SetIpBlackListConfig |
- |
|
cdn:SetOptimizeConfig |
- |
|
cdn:SetPageCompressConfig |
- |
|
cdn:SetPathCacheExpiredConfig |
- |
|
cdn:SetRemoteReqAuthConfig |
- |
|
cdn:SetReqAuthConfig |
- |
|
cdn:SetReqHeaderConfig |
Sets a custom origin header. |
|
cdn:SetSnMultiLive |
- |
|
cdn:SetSnMultiLiveDomainConf |
- |
|
cdn:SetSourceHostConfig |
- |
|
cdn:SetVersionConfig |
- |
|
cdn:SetWaitingRoomConfig |
Configures the virtual waiting room feature for an accelerated domain name. This operation is available only for accelerated domain names of the Dynamic CDN workload type. |
|
cdn:StopPreload |
- |
|
cdn:UpdateCdnDeliverTask |
Updates a tracking task. |
|
cdn:UpdateFCTrigger |
Updates a specified Function Compute trigger. |
|
cdn:VerifyDomainOwner |
Verifies the ownership of a specified domain name. |
|
cdn:describeRefreshTasks |
- |
|
cdn:describeUserDomains |
- |
|
cdn:describeVerifyContent |
- |
|
cdn:describedomainsrcqpsdata |
- |
|
cdn:verifyDomainOwner |
- |
For these actions, you must create a custom policy with the scope set to Account.
Customize the following policy examples to suit your needs:
-
Allow read-only access
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cdn:BatchDescribeCdnIpInfo", "cdn:BatchDescribeDomainBackupCname", "cdn:BatchDescribeDomainMd5Info", "cdn:DescribeActiveConfigGroupVersion", "cdn:DescribeBlockedRegions", "cdn:DescribeCdnCcSignatureArgList", "cdn:DescribeCdnCcSignatureObjectList", "cdn:DescribeCdnCertificateDetail", "cdn:DescribeCdnCertificateDetailById", "cdn:DescribeCdnComputeUserDomain", "cdn:DescribeCdnConditionIPBInfo", "cdn:DescribeCdnDeletedDomains", "cdn:DescribeCdnDeliverList", "cdn:DescribeCdnDiagnoseReport", "cdn:DescribeCdnDomainByCertificate", "cdn:DescribeCdnFullDomainsBlockIPConfig", "cdn:DescribeCdnFullDomainsBlockIPHistory", "cdn:DescribeCdnHttpsDomainList", "cdn:DescribeCdnIpCidr", "cdn:DescribeCdnMonitorData", "cdn:DescribeCdnOrderCommodityCode", "cdn:DescribeCdnRegionAndIsp", "cdn:DescribeCdnReportList", "cdn:DescribeCdnSMCertificateDetail", "cdn:DescribeCdnSecFuncInfo", "cdn:DescribeCdnService", "cdn:DescribeCdnSubList", "cdn:DescribeCdnTypes", "cdn:DescribeCdnUserAppSecDrop", "cdn:DescribeCdnUserBillHistory", "cdn:DescribeCdnUserBillPrediction", "cdn:DescribeCdnUserBillType", "cdn:DescribeCdnUserConfigs", "cdn:DescribeCdnUserQuota", "cdn:DescribeCdnUserResourcePackage", "cdn:DescribeCdnUserSecDrop", "cdn:DescribeCertificateInfoByID", "cdn:DescribeConfigGroupDetail", "cdn:DescribeConfigGroupVersion", "cdn:DescribeCustomDomainSampleRate", "cdn:DescribeCustomLogConfig", "cdn:DescribeDomainConfigs", "cdn:DescribeDomainISPLocationDetailData", "cdn:DescribeDomainMd5Info", "cdn:DescribeDomainSrcFlowData", "cdn:DescribeDomainVerifyData", "cdn:DescribeDomainsBySource", "cdn:DescribeEsExceptionData", "cdn:DescribeEsExecuteData", "cdn:DescribeFCTrigger", "cdn:DescribeGifshowView", "cdn:DescribeIpInfo", "cdn:DescribeIpStatus", "cdn:DescribeLiveStreamOnlineUserNum", "cdn:DescribeLiveStreamPushData", "cdn:DescribeLiveStreamRecordIndexFile", "cdn:DescribeLiveStreamRecordIndexFiles", "cdn:DescribeLiveStreamSnapshotInfo", "cdn:DescribeLiveStreamTranscodeStreamNum", "cdn:DescribeLiveStreamsFrameRateAndBitRateData", "cdn:DescribeLiveStreamsOnlineList", "cdn:DescribePreloadDetailById", "cdn:DescribeRealtimeDeliveryAcc", "cdn:DescribeRealtimeLogAuthorized", "cdn:DescribeRefreshQuota", "cdn:DescribeRefreshTaskById", "cdn:DescribeRefreshTasks1", "cdn:DescribeSinaUidsBlockData", "cdn:DescribeSnMultiLive", "cdn:DescribeStagingIp", "cdn:DescribeTopDomainsByFlow", "cdn:DescribeUserCdnStatus", "cdn:DescribeUserCdncomputeStatus", "cdn:DescribeUserCertificateExpireCount", "cdn:DescribeUserConfigs", "cdn:DescribeUserTags", "cdn:DescribeUserUsageDataExportTask", "cdn:DescribeUserUsageDetailDataExportTask", "cdn:DescribeVerifyContent", "cdn:DescribeVersionConfig", "cdn:DescribeVersionConfigForDiff", "cdn:DescribeViewUsedTraf", "cdn:GetCancelPreloadTask", "cdn:ListConfigGroupActivateRecords", "cdn:ListConfigGroupVersionDomains", "cdn:ListConfigGroupVersions", "cdn:ListConfigGroups", "cdn:ListDomainsByLogConfigId", "cdn:ListEsTemplateInfo", "cdn:ListFCTrigger", "cdn:ListRealtimeLogDelivery", "cdn:ListRealtimeLogDeliveryDomains", "cdn:ListRealtimeLogDeliveryInfos", "cdn:ListUserCustomLogConfig" ], "Resource": "*" } ] } -
Allow full access
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cdn:ActivateConfigGroupVersion", "cdn:AddConfigGroup", "cdn:AddFCTrigger", "cdn:AddLivePullStreamInfo", "cdn:AdvancePurgeObjectCache", "cdn:BatchDescribeCdnIpInfo", "cdn:BatchDescribeDomainBackupCname", "cdn:BatchDescribeDomainMd5Info", "cdn:CdnMigrateRegister", "cdn:ChangeCdnDomainToDcdn", "cdn:CheckDomainBeiAnExpiration", "cdn:CloneConfigGroupVersion", "cdn:CreateCdnCertificateSigningRequest", "cdn:CreateCdnComputeDomain", "cdn:CreateCdnbag", "cdn:CreateLiveStreamRecordIndexFiles", "cdn:CreateUserUsageDataExportTask", "cdn:DeactivateConfigGroupVersion", "cdn:DeleteCdnDeliverTask", "cdn:DeleteCdnSubTask", "cdn:DeleteConfigGroup", "cdn:DeleteConfigGroupVersion", "cdn:DeleteFCTrigger", "cdn:DeleteLivePullStreamInfo", "cdn:DeleteRealTimeLogLogstore", "cdn:DeleteUsageDetailDataExportTask", "cdn:DeleteUserUsageDataExportTask", "cdn:DeleteVersionConfig", "cdn:DescribeActiveConfigGroupVersion", "cdn:DescribeBlockedRegions", "cdn:DescribeCdnCcSignatureArgList", "cdn:DescribeCdnCcSignatureObjectList", "cdn:DescribeCdnCertificateDetail", "cdn:DescribeCdnCertificateDetailById", "cdn:DescribeCdnComputeUserDomain", "cdn:DescribeCdnConditionIPBInfo", "cdn:DescribeCdnDeletedDomains", "cdn:DescribeCdnDeliverList", "cdn:DescribeCdnDiagnoseReport", "cdn:DescribeCdnDomainByCertificate", "cdn:DescribeCdnFullDomainsBlockIPConfig", "cdn:DescribeCdnFullDomainsBlockIPHistory", "cdn:DescribeCdnHttpsDomainList", "cdn:DescribeCdnIpCidr", "cdn:DescribeCdnMonitorData", "cdn:DescribeCdnOrderCommodityCode", "cdn:DescribeCdnRegionAndIsp", "cdn:DescribeCdnReportList", "cdn:DescribeCdnSMCertificateDetail", "cdn:DescribeCdnSecFuncInfo", "cdn:DescribeCdnService", "cdn:DescribeCdnSubList", "cdn:DescribeCdnTypes", "cdn:DescribeCdnUserAppSecDrop", "cdn:DescribeCdnUserBillHistory", "cdn:DescribeCdnUserBillPrediction", "cdn:DescribeCdnUserBillType", "cdn:DescribeCdnUserConfigs", "cdn:DescribeCdnUserQuota", "cdn:DescribeCdnUserResourcePackage", "cdn:DescribeCdnUserSecDrop", "cdn:DescribeCertificateInfoByID", "cdn:DescribeConfigGroupDetail", "cdn:DescribeConfigGroupVersion", "cdn:DescribeCustomDomainSampleRate", "cdn:DescribeCustomLogConfig", "cdn:DescribeDomainConfigs", "cdn:DescribeDomainISPLocationDetailData", "cdn:DescribeDomainMd5Info", "cdn:DescribeDomainSrcFlowData", "cdn:DescribeDomainVerifyData", "cdn:DescribeDomainsBySource", "cdn:DescribeEsExceptionData", "cdn:DescribeEsExecuteData", "cdn:DescribeFCTrigger", "cdn:DescribeGifshowView", "cdn:DescribeIpInfo", "cdn:DescribeIpStatus", "cdn:DescribeLiveStreamOnlineUserNum", "cdn:DescribeLiveStreamPushData", "cdn:DescribeLiveStreamRecordIndexFile", "cdn:DescribeLiveStreamRecordIndexFiles", "cdn:DescribeLiveStreamSnapshotInfo", "cdn:DescribeLiveStreamTranscodeStreamNum", "cdn:DescribeLiveStreamsFrameRateAndBitRateData", "cdn:DescribeLiveStreamsOnlineList", "cdn:DescribePreloadDetailById", "cdn:DescribeRealtimeDeliveryAcc", "cdn:DescribeRealtimeLogAuthorized", "cdn:DescribeRefreshQuota", "cdn:DescribeRefreshTaskById", "cdn:DescribeRefreshTasks1", "cdn:DescribeSinaUidsBlockData", "cdn:DescribeSnMultiLive", "cdn:DescribeStagingIp", "cdn:DescribeTopDomainsByFlow", "cdn:DescribeUserCdnStatus", "cdn:DescribeUserCdncomputeStatus", "cdn:DescribeUserCertificateExpireCount", "cdn:DescribeUserConfigs", "cdn:DescribeUserTags", "cdn:DescribeUserUsageDataExportTask", "cdn:DescribeUserUsageDetailDataExportTask", "cdn:DescribeVerifyContent", "cdn:DescribeVersionConfig", "cdn:DescribeVersionConfigForDiff", "cdn:DescribeViewUsedTraf", "cdn:ForbidLiveStream", "cdn:GenerateCdnDiagnose", "cdn:GetCancelPreloadTask", "cdn:HttpRequestStagingTest", "cdn:HttpRequestTestTool", "cdn:ListConfigGroupActivateRecords", "cdn:ListConfigGroupVersionDomains", "cdn:ListConfigGroupVersions", "cdn:ListConfigGroups", "cdn:ListDomainsByLogConfigId", "cdn:ListEsTemplateInfo", "cdn:ListFCTrigger", "cdn:ListRealtimeLogDelivery", "cdn:ListRealtimeLogDeliveryDomains", "cdn:ListRealtimeLogDeliveryInfos", "cdn:ListUserCustomLogConfig", "cdn:ModifyBlockSinaUids", "cdn:ModifyByteUrlBlockData", "cdn:ModifyCdnDomainOwner", "cdn:ModifyCdnService", "cdn:ModifyConfigGroup", "cdn:ModifyConfigGroupVersion", "cdn:ModifyCustomDomainSampleRate", "cdn:ModifyRefererBlockData", "cdn:NotifyDomainBeiAnExpiration", "cdn:OpenCdnService", "cdn:PenaliseDomainBeiAnExpiration", "cdn:RefreshObjectCacheByCacheTag", "cdn:ResumeLiveStream", "cdn:SetCdnDomainSMCertificate", "cdn:SetCdnFullDomainsBlockIP", "cdn:SetCdnUserConfig", "cdn:SetForceRedirectConfig", "cdn:SetHttpHeaderConfig", "cdn:SetHttpsOptionConfig", "cdn:SetIgnoreQueryStringConfig", "cdn:SetIpAllowListConfig", "cdn:SetIpBlackListConfig", "cdn:SetOptimizeConfig", "cdn:SetPageCompressConfig", "cdn:SetPathCacheExpiredConfig", "cdn:SetRemoteReqAuthConfig", "cdn:SetReqAuthConfig", "cdn:SetReqHeaderConfig", "cdn:SetSnMultiLive", "cdn:SetSnMultiLiveDomainConf", "cdn:SetSourceHostConfig", "cdn:SetVersionConfig", "cdn:SetWaitingRoomConfig", "cdn:StopPreload", "cdn:UpdateCdnDeliverTask", "cdn:UpdateFCTrigger", "cdn:VerifyDomainOwner", "cdn:describeRefreshTasks", "cdn:describeUserDomains", "cdn:describeVerifyContent", "cdn:describedomainsrcqpsdata", "cdn:verifyDomainOwner" ], "Resource": "*" } ] }
Granting account-level permissions allows access to all relevant resources in the account. Always follow PoLP.
FAQ
How do I find which resource group a resource belongs to?
-
Method 1: From the service console
-
Navigate to the service console where the resource was created. On the resource's details page, you can typically find the resource group listed in the basic information section.
-
-
Method 2: From the Resource Management console
-
Log on to the Resource Management console.
-
Choose .
-
In the left pane, select the account that owns the target resource (the default is Current Account).
-
Use filter conditions to find your resource.
-
The Resource Group column shows which group the resource belongs to.
-
How do I view all resources in a specific resource group?
-
Method 1:
-
Log on to the Resource Management console.
-
Choose .
-
In the left pane, under the account that owns the resources (the default is Current Account), click the name of the desired resource group.
-
In the right pane, select the cloud service from the Select resource types drop-down list.
-
All resources in that group will be displayed.
-
-
Method 2:
-
Log on to the Resource Management console.
-
Choose .
-
Find the desired resource group and click Manage Resource in the Actions column.
-
On the resource management page, select the cloud service from the Service drop-down list.
-
All resources in that group will be displayed.
-
How do I move multiple resources to a different resource group in batch?
-
Log on to the Resource Management console.
-
Choose .
-
Find the desired resource group and click Manage Resource in the Actions column.
-
On the resource management page, use filter conditions to find the resources you want to move.
-
Select the checkbox for each resource.
-
At the bottom of the page, click Transfer.
-
In the dialog box, select the destination resource group and click Confirm.