When you create a project in Intelligent Media Management (IMM), you must specify a service role for the project. The service role allows IMM to access resources in other cloud services, such as Object Storage Service (OSS). This topic describes how to create a service role and authorize IMM to assume the service role.
When you create a service role, create a project, or change the service role of a project, you must have all permissions of the service role. Otherwise, the operation fails due to insufficient permissions.
Create a service role and complete authorization
Attach the service role
Authorize IMM to assume the default service role.
On the Cloud Resource Access Authorization page, view details of the AliyunIMMDefaultRole service role and click Confirm Authorization Policy.
After you create the service role, you can grant permissions to the service role in the RAM console.
The AliyunIMMDefaultRole service role has high-level permissions on OSS. If a RAM user within your Alibaba Cloud account has the permissions to create or update IMM projects, you can associate the AliyunIMMDefaultRole role with the RAM user and use metadata indexing to list or analyze objects in the OSS bucket as the RAM user. For more fine-grained permission control, see Create a custom service role.
Create a custom service role
You can create a service role in the RAM console and grant permissions to the service role. For more information, see Create a service-linked role.
In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Service as the trusted entity type.
Enter a name in the RAM Role Name field, select Normal Service Role for Role Type, and select Intelligent Media Management from the Select Trusted Service drop-down list.
Click OK. The service role is created.
Grant permissions to the service role. At this point, the service role does not have any permissions. You must grant at least permissions related to OSS and Message Service.
You can create a policy and specify JSON permission data in the policy.
The following sample policy grants access only to the OSS bucket named my-bucket. When you use the sample policy, replace "my-bucket" with your bucket name.
{ "Version": "1", "Statement": [ { "Action": [ "oss:Get*", "oss:List*", "oss:PutBucketLifecycle", "oss:PutBucketNotification", "oss:DeleteBucketNotification", "oss:PutBucketAcl", "oss:PutObjectAcl", "oss:CopyObject", "oss:AppendObject", "oss:PutSymlink", "oss:PutObject", "oss:StartEventRecord", "oss:StopEventRecord", "oss:GetEventRecordStatus" ], "Resource": "acs:oss:*:*:my-bucket/*", "Effect": "Allow" }, { "Action":"mns:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "imm.aliyuncs.com" } } } ] }Attach the policy to the service role. For more information, see Grant permissions to a RAM role.
Use the service role
Click the refresh icon next to the Service Role field in the Create Project panel. Select the created service role.
(Optional) Modify the permissions of the service role
You can modify the permissions of the service role in the RAM console. For more information, see Grant permissions to a RAM role.
To prevent IMM operation failures from insufficient permissions, make sure that the service role has permissions at least on OSS and MNS.