Authorize a RAM user to prefetch and refresh resources - Dynamic Content Delivery Network

By default, Resource Access Management (RAM) users do not have permissions to prefetch or refresh resources. You can attach system or custom permission policies to a RAM user to allow the RAM user to prefetch and refresh resources.

Prerequisites

A RAM user is created. If no RAM user is created, create one. For more information, see Create a RAM user.

Background information

By default, RAM users do not have permissions to prefetch or refresh resources. If you log on to the Dynamic Route for CDN (DCDN) console and attempt to prefetch or refresh resources as a RAM user, the following error message appears: The account does not have access to the page interface, or the interface does not support RAM access control. In this case, you must grant the required prefetch and refresh permissions to the RAM user.

RAM supports two types of permission policy: system permission policy and custom permission policy. You can attach a system or custom permission policy to the RAM to allow the RAM user to prefetch and refresh resources.

System permission policies
System permission policies are configured and provided by Alibaba Cloud. You cannot modify the system permission policies. A system permission policy grants RAM users full permissions (including service activation and configuration modification) on DCDN. Only a few steps are required to grant permissions to RAM users by using system permission policies. For more information, see Method 1: Attach a system permission policy to a RAM user.
Custom permission policies
You can create, update, and manage custom permission policies based on business requirements. Custom permission policies grant RAM users only specified permissions. For example, you can use a custom permission policy to allow a RAM user only to prefetch and refresh resources, or manage the log storage feature. In this case, the RAM user does not have permissions to perform operations other than the authorized ones. For more information, see Method 2: Attach a custom permission policy to a RAM user.

Method 1: Attach a system permission policy to a RAM user

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, specify the required parameters.
1. In the Authorized Scope section, select Alibaba Cloud Account.
2. Click System Policy.
3. Enter AliyunDCDN in the search box. The system automatically displays all permission policies that are related to DCDN.
4. Click AliyunDCDNFullAccess to add the policy to the Selected list.
  Note The AliyunDCDNFullAcces permission policy grants the RAM user full permissions on DCDN. The RAM user has permissions to call DCDN API operations and manage all accelerated domain names.
Click OK.
Click Complete.

Method 2: Attach a custom permission policy to a RAM user

Create a custom policy.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Permissions > Policies.
3. On the Policies page, click Create Policy.
4. On the Create Policy page, click the JSON tab.
  In the edit box, enter the following policy content: This permission policy grants the RAM user permissions on the prefetch and refresh API operations. The RAM user can call API operations to prefetch or refresh resources.
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "dcdn:PreloadDcdnObjectCaches",
        "dcdn:RefreshDcdnObjectCaches",
        "dcdn:DescribeDcdnRefreshTaskById",
        "dcdn:DescribeDcdnRefreshQuota",
        "dcdn:DescribeDcdnRefreshTasks"
      ],
      "Resource": "acs:dcdn:*:*:*",
      "Effect": "Allow"
    }
  ]
}
```
  Note
  The policy content must be expressed in a specific syntax structure to describe the authorized resource sets, operation sets, and authorization conditions. For more information, see Policy elements and Policy structure and syntax.
5. Click Next: Edit Basic Information.
  Parameter Definition
  Cluster Name Enter a name that is descriptive and easy to identify. AliyunDcdnRefresh is used in this example.
  Remarks Optional. Enter a description for the custom permission policy.
6. Click OK.

Parameter	Definition
Cluster Name	Enter a name that is descriptive and easy to identify. `AliyunDcdnRefresh` is used in this example.
Remarks	Optional. Enter a description for the custom permission policy.

Attach the custom permission policy to the RAM user.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, specify the required parameters.


Parameter	Definition
Authorized Scope	Select Alibaba Cloud Account, which specifies that the authorized scope is all resources that belong to the current Alibaba Cloud account. Do not select Specific Resource Group.
Principal	The current RAM user is automatically selected.
Select Policy	Click the Custom Policy tab. Enter the name of the custom permission policy created in Step 1. The name of the custom permission policy in this example is `AliyunDcdnRefresh`. After the system displays the policy, click its name to add it to the Selected list.

Click OK.
Click Complete.

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user