Using IAM Roles or Policies to Grant Access to CDN

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in role/policy-based authorization for CDN. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting CDN permissions using role/policy-based authorization

1. On the IAM console, create a user group and grant it permissions (CDN ReadOnlyAccess as an example).
2. Create an IAM user and add it to the created user group.
3. Log in as the IAM user and verify permissions.

   In the authorized region, perform the following operations:

   • Choose Service List > Content Delivery & Edge Computing > Content Delivery Network. In the navigation pane of the CDN console, choose Domains. Then click Add Domain Name. If a message appears indicating that you have insufficient permissions to perform the operation, the CDN ReadOnlyAccess policy is in effect.
   • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the CDN ReadOnlyAccess policy is in effect.

Example Custom Policies

Custom policies can be created to supplement the system-defined policies of CDN. For details about actions supported in custom policies, see Actions Supported by Policy-based Authorization.

To create a custom policy, choose either visual editor or JSON.

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common CDN custom policies.

• Example 1: Grant permission to create domain names.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cdn:configuration:createDomains"
            ]
        }
    ]
}

• Example 2: Grant permission to set an IP address blacklist.

{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "cdn:configuration:modifyIpAcl"
                        ],
                        "Effect": "Allow"
                }
        ]
}

• Example 3: Grant permission to deny domain name deletion.

  A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  Assume that you want to grant the permissions of the CDN Admin policy to a user but want to prevent them from deleting domain names. You can create a custom policy for denying domain name deletion, and attach this policy together with the CDN Admin policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on domain names excepting deleting them.

  Example policy denying domain name deletion:

  {
          "Version": "1.1",
          "Statement": [
                  {
                          "Action": [
                                  "cdn:configuration:deleteDomains"
                          ],
                          "Effect": "Deny"
                  }
          ]
  }

• Example 4: Create a custom policy containing multiple actions.

  A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).

  Example policy containing multiple actions:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "cdn:configuration:enableDomains",
                  "cdn:configuration:createDomains",
                  "scm:cert:get",
                  "scm:certProduct:get",
                  "scm:certType:get"
              ]
          }
      ]
  }