All Products
Search

This Product

    Intelligent Media Management:Grant cross-account access to OSS resources

    Document Center

    Intelligent Media Management:Grant cross-account access to OSS resources

    Last Updated:Mar 24, 2025

    Intelligent Media Management (IMM) allows you to process data stored in an Object Storage Service (OSS) bucket within the same Alibaba Cloud account by binding the bucket to an IMM project. Additionally, it allows you to process data stored in an OSS bucket from a different Alibaba Cloud account by configuring a bucket policy. This topic describes how to grant IMM cross-account access to OSS data and process the data.

    A bucket policy is a bucket-specific access policy that can grant data access across Alibaba Cloud accounts. For more information, see Bucket policies.

    Background information

    User A (Account A) needs to process data in an OSS bucket owned by User B (Account B) by using the IMM API. However, User B cannot provide User A with a Resource Access Management (RAM) user or make the bucket publicly accessible due to compliance requirements. In this case, User B can create a bucket policy that allows User A to access the bucket.

    Prerequisites

    • An IMM project is created in Account A. The IMM service in Account A has assumed service-linked role AliyunIMMDefaultRole to access resources in other Alibaba Cloud services. In this example, the immtest project is used.

      Note

      A service-linked role is a RAM role that is assumed by an Alibaba Cloud service in order to access other Alibaba Cloud services. A service-linked role enables fine-grained permission control and simplifies cross-service access authorization. For more information about service-linked roles, see Service-linked roles.

    • An OSS bucket is created in Account B. Resources that remain to be processed by using the IMM API are uploaded to the bucket. In this example, the test-bucket-2024 bucket is used.

      Note

      Make sure that public access to the bucket is blocked.

    Step 1: Create a bucket policy for the bucket owned by Account B

    Perform the following steps to create a bucket policy for the bucket in Account B to grant Account A access to the bucket:

    1. Obtain the UID of Account A.

      1. Use Account A to log on to the Alibaba Cloud Management Console

      2. Move the pointer over the user profile in the upper-right corner and copy the account ID (UID). Provide User B with the UID of Account A.

    2. Perform the following steps to allow the AliyunIMMDefaultRole role of Account A to access the bucket.

      1. Use Account B to log on to the OSS console.

      2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket.

      3. In the left-side navigation tree, choose Permission Control > Bucket Policy.

      4. On the Bucket Policy tab, click Add by Syntax and then click Edit.

      e. In the code editor, enter bucket policy content and click Save.

      The following bucket policy authorizes the AliyunIMMDefaultRole role in Account A to access all resources in the test-bucket-2024 bucket that belongs to Account B. For more information about permissions, see RAM policies.

      Important

      • If you configure a bucket policy by specifying policy statements to grant the RAM role the required permissions, the new bucket policy overwrites the existing bucket policy. Make sure that the new bucket policy contains the content of the existing bucket policy. Otherwise, original actions specified in the existing bucket policy may fail.

      • If you use the sample bucket policy, replace {UID of Account A}, {UID of Account B}, and bucket name test-bucket-2024 with your actual information. 

      {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ram:PassRole"
    ],
    "Principal": [
      
    ],
    "Resource": [
      "arn:sts::{UID of Account A}:assumed-role/AliyunIMMDefaultRole/*"
    ]
  }, {
    "Effect": "Allow",
    "Action": [
      "oss:GetObject",
      "oss:GetObjectAcl",
      "oss:ListObjects",
      "oss:RestoreObject",
      "oss:GetVodPlaylist",
      "oss:ListObjectVersions",
      "oss:GetObjectVersion",
      "oss:GetObjectVersionAcl",
      "oss:RestoreObjectVersion"
    ],
    "Principal": [
      "arn:sts::{UID of Account A}:assumed-role/AliyunIMMDefaultRole/*"
    ],
    "Resource": [
      "acs:oss:*:{UID of Account B}:test-bucket-2024/*"
    ]
  }]
}

    Step 2: Process the resources in the bucket by using IMM from Account A

    After the bucket policy is configured, Account A can process the resources in the bucket by using the IMM API. This example shows how Account A queries the quality score of an image in the bucket owned by Account B by calling the DetectImageScore operation.

    Sample image

    • IMM project: immtest

    • Image path: oss://test-bucket-2024/test-object.jpg

    Sample request

    {
 "ProjectName": "immtest",
 "SourceURI": "oss://test-bucket-2024/test-object.jpg",
}

    Sample success response

    {
 "RequestId": "1AEABE83-5746-02E4-A97D-52EE4BB*****",
 "ImageScore": {
 "OverallQualityScore": 0.727
 }
}
    Note

    The operation call returns the quality score of the image. The success response indicates that Account A has cross-account access to resources in the bucket in Account B.