By default, Resource Access Management (RAM) users do not have permissions to enable or manage the log storage feature of Dynamic Route for CDN (DCDN). If you want to allow RAM users to enable or manage log storage, you must grant them the required permissions. You can do this using permission policies, which allow you to regulate access control.

Background information

  • RAM is an identity management and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users for employees, systems, applications, and other entities. You can use RAM to implement access control on your Alibaba Cloud resources.
  • You can grant permissions on log storage only to Alibaba Cloud accounts or RAM users. Role-based access control cannot be used to grant permissions on log storage. For more information, see AssumeRole.

Scenarios

In this topic, a permission policy is used to grant a RAM user full permissions on log storage. The permission policy allows the RAM user to enable, manage, query, modify, and disable log storage.
Note Due to the complex inter-service relationships that are associated with the APIs used to manage log storage, Alibaba Cloud does not provide public-facing access to these APIs. We recommend that you manage log storage through the DCDN console.

Step 1: Create a custom policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Click the JSON tab and enter the policy content.
    Figure 1. JSON
    Create a custom policy
    Grant the RAM user full permissions on log storage. This includes the permissions to enable, manage, query, modify, and disable log storage. The following code block shows the content of the custom permission policy:
    Note You can grant permissions on all or part of the permissions available to RAM users.
    {
        "Statement": [
          {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "acs:ram:*:*:role/*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "logdelivery.dcdn.aliyuncs.com"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "dcdn:DescribeDcdnUserDomains",
                    "dcdn:CreateDcdnDomainOfflineLogDelivery",
                    "dcdn:DescribeDcdnOfflineLogDeliveryStatus",
                    "dcdn:DescribeDcdnOfflineLogDelivery",
                    "dcdn:DescribeDcdnOfflineLogDeliveryField",
                    "dcdn:DescribeDcdnOfflineLogDeliveryRegions",
                    "dcdn:DisableDcdnDomainOfflineLogDelivery",
                    "dcdn:DisableDcdnOfflineLogDelivery",
                    "dcdn:EnableDcdnDomainOfflineLogDelivery"
                ],
                "Resource": "acs:dcdn:*:*:*"
            }
        ],
        "Version": "1"
    }
    The following table describes the API operations on which you can grant permissions through custom permission policies.
    API Required Purpose Description
    DescribeDcdnUserDomains Yes Queries all domain names that are added to DCDN. This allows RAM users to query all domain names that are added to DCDN and configure log storage for these domain names.
    CreateDcdnDomainOfflineLogDelivery No Enables log storage. This allows RAM users to enable log storage. Grant permissions on this operation with caution.
    DescribeDcdnOfflineLogDeliveryStatus Yes Queries whether log storage is enabled. This allows RAM users to query whether log storage is enabled. Permissions on this operation are also required to enable log storage.
    DescribeDcdnOfflineLogDelivery Yes Queries domain names that have log storage enabled. This allows RAM users to query domain names that have log storage enabled.
    DescribeDcdnOfflineLogDeliveryField Yes Queries fields that are supported by log storage. This allows RAM users to query whether log storage is enabled. Permissions on this operation are also required to enable log storage.
    DescribeDcdnOfflineLogDeliveryRegions Yes Queries regions in which log storage is supported. None.
    DisableDcdnDomainOfflineLogDelivery No Disables domain names that have log storage enabled. This allows RAM users to disable log storage on domain names. Grant permissions on this operation with caution.
    EnableDcdnDomainOfflineLogDelivery No Enables log storage for a domain name. This allows RAM users to create log storage tasks for a domain name. Grant permissions on this operation with caution.
    DisableDcdnOfflineLogDelivery No Disables log storage. This allows RAM user can disable log storage. If log storage is disabled, the previous configurations are lost and you must re-enable and re-configure log storage before you use it again. Grant permissions on this operation with caution.
  5. Click Next: Edit Basic Information. On the page that appears, configure the Name and Note parameters for the policy.
    Figure 2. Basic Information
    Name and Note
    Parameter Description
    Name Enter an informative name for easy identification.
    Note Optional. Enter a description for the custom permission policy.
  6. Check and optimize the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.
      • Deletes unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during advanced optimization:

      • Splits resources or conditions that are incompatible with actions.
      • Narrows down resources.
      • Deduplicates or merges policy statements.
  7. Click OK.

Step 2: Grant permissions to a RAM user

  1. Log on to the RAM console.
  2. Create a RAM user.
    Note If you have created a RAM user, skip this step.
  3. In the left-side navigation pane, choose Identities > Users.
  4. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  5. In the Add Permissions panel, set the following parameters.
    Figure 3. Add permissions
    Add permissions
    Parameter Description
    Authorized Scope Select Alibaba Cloud Account. This specifies that the policy is applied for all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
    Principal The current RAM user is selected by default.
    Select Policy Select Custom Policy, and click the name of the custom policy created in Step 1: Create a custom policy. The custom policy is then added to the right-side Selected list.
    Note If you want to allow the RAM user to enable log storage, attach the AliyunDLAFullAccess permission policy to the RAM user. If this permission policy is not attached, the RAM user is unable to enable log storage.
  6. Click OK.
  7. Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user