Granting the sub-account accelerated domain name configuration permission
Last updated: 2019-08-22 17:52:13PDF
On the domain management and configuration page in COS, you can configure the default accelerated domain name, the custom CDN accelerated domain name, and the custom origin server domain name. Among them, the configuration of the default accelerated domain name and the custom CDN accelerated domain name is logically related to the CDN service. Therefore, if you want a sub-account to be able to configure them, in addition to the COS management permission, you must also grant the sub-account relevant permissions to the CDN service.
To ensure resource security, if you do not grant the sub-account relevant permissions to the CDN service, the sub-account will not have the permission to configure the default accelerated domain name for a COS bucket and the CDN accelerated domain name by default. If an unauthorized sub-account logs in to the COS Console and navigates to the domain management configuration page, an access denied error will be displayed as shown below:
If the sub-account needs to configure such domain names, you need to authorize it in the CAM Console by following the steps below:
As there is no corresponding policy template in the CAM Console, you need to create a custom policy. Go to the Policies page in the CAM Console and select Create Custom Policy > Create by Product Feature or Project Permission to enter the service type configuration page.
The permissions can be configured by a root account by default. If you are using a sub-account and want to configure the permissions here, please confirm that the root account has granted you permissions to do so. The user policy that should be authorized by the root account in this case is QcloudCamFullAccess.
On the service type configuration page, enter your policy name (e.g., COS_DomainAccess) and select the service type as CDN as shown below:
Click Next. You can grant the user permissions to the corresponding feature APIs based on your business needs. Access to and configuration of the default accelerated domain name and CDN accelerated domain name for a COS bucket involve five features, i.e., querying domain name information, adding domain names, enabling/disabling domain names, deleting domain names, and modifying domain name configuration. If you want the sub-account to have full access to the configurations of all domain names on the domain name configuration page, please toggle on all of the above features.
After selecting the corresponding features, click Next to associate objects.
Associate the features with objects. Select Associate an Object > All objects (including new resource objects purchased in the future), which has to be selected to make the policy configuration fully effective.
Confirm that the permissions are correctly configured and click Finish to create the custom policy.
After the custom policy is created, switch to the User List page and associate the sub-account with the policy.
In the Associate a Policy pop-up window, search for and select the custom policy you just created and click OK.
After the policy is associated, the sub-account is authorized and can log in to the COS Console to access and configure the default accelerated domain name and CDN accelerated domain name for a COS bucket as shown below: