All Products
Search
Document Center

Intelligent Media Management:Grant permissions to a RAM user

Last Updated:Dec 09, 2024

The permission management mechanisms of Alibaba Cloud include Resource Access Management (RAM) and Security Token Service (STS). You can access Intelligent Media Management (IMM) as a RAM user with intended permissions or by using temporary access credentials that are provided by STS. RAM and STS make permission management and access control more flexible and secure.

Background information

One of the core benefits of RAM and STS is that they help improve account security by allowing temporary access to data within an Alibaba Cloud account without exposing the AccessKey pair of the account. An attacker that has the AccessKey pair of an Alibaba Cloud account has access to all resources within the account and can cause significant security consequences.

  • RAM

    • RAM is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM allows you to create and manage multiple identities for an Alibaba Cloud account, and grant permissions to a single identity or a group of identities. This way, you can authorize different identities to access different Alibaba Cloud resources. For more information, see What is RAM?

    • RAM provides a long-term permission management mechanism by creating RAM users and granting them different permissions. This way, if an AccessKey pair of a RAM user is leaked, only limited information is leaked. RAM users generally remain valid for a long period of time. The AccessKey pairs of RAM users must be kept confidential.

  • STS

    • STS allows you to manage temporary access to your Alibaba Cloud resources. You can use STS to grant temporary access tokens with custom validity periods and access permissions to RAM entities such as RAM users and RAM roles. For more information, see What is STS?

    • In contrast to the long-term permission management mechanism provided by RAM, STS provides temporary access authorization by using a temporary AccessKey pair and token to allow temporary access to IMM. STS grants strict access permissions that remain valid within a limited period of time. Therefore, even if access credentials are leaked, your system is not severely affected.

Grant permissions to a RAM user

To improve data security and permission control, we recommend that you use the IMM service as a RAM user.

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Grant permissions to the RAM user based on your business requirements. For more information, see Grant permissions to a RAM user.

    • If you want to manage the IMM service, such as creating projects, attach the AliyunIMMFullAccess policy to the RAM user.

    • If you need only the read-only permissions on the IMM service to view information such as projects, attach the AliyunIMMReadOnlyAccess policy to the RAM user.

  3. Enable multi-factor authentication (MFA) for the RAM user. For more information, see Bind an MFA device to a RAM user.

Grant temporary access

  1. Create a temporary role and grant permissions to the role.

    1. Create a RAM role for a trusted Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    2. Create a custom policy. For more information, see Create custom policies.

      Note

      To implement fine-grained permission control, you can customize the permissions of a policy. For more information, see Custom policies for IMM

    3. Grant permissions to the temporary role. For more information, see Grant permissions to a RAM role.

  2. Grant temporary access permissions.

    1. Create a custom policy. For more information, see Create custom policies.

    2. Grant permissions to the temporary role that the RAM user assumes. For more information, see Grant permissions to a RAM user.

  3. Obtain temporary access credentials from STS. For more information, see AssumeRole.

  4. Use temporary permissions to read and write data.

    You can use the temporary permissions to call the SDKs for different programming languages to access IMM. The following sample code provides an example on how to use IMM SDK for Java to create an IAcsClient object based on the AccessKey ID, AccessKey secret, and token obtained from STS:

    DefaultProfile profile = DefaultProfile.getProfile("cn-shanghai", stsAccessKeyId, stsAccessKeySecret, stsToken);
    IAcsClient client = new DefaultAcsClient(profile);

Configure a custom RAM policy

You can use custom RAM policies to control user permissions. The following table describes the main components of a RAM policy.

Parameter

Description

Effect

The effect on a requested action. Valid values:

  • Allow: allows the action.

  • Deny: denies the action.

Action

The IMM API operation. The value of this parameter follows the imm:<action> format. Example: imm:CreateOfficeConversionTask. For a list of supported actions, see List of operations by function.

Resource

IMM has only project resources in the acs:imm:<region-id>:<uid>:project/<project> or acs:imm:<region-id>:<uid>:project/<project>/dataset/<dataset> format. Examples: acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj and acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-photos/dataset/dataset1. Field description:

  • region-id: the region ID. Examples: cn-shanghai and cn-beijing.

  • uid: the account ID. You can view your account ID on the Overview page of the account center.

  • project: the project name specified when the project was created. You can obtain the name of a project in the IMM console.

    Note

    For project operations such as CreateProject and ListProjects, you must set Resource to * if these operations do not involve specific resources.

  • dataset: the name of the dataset. You can call the ListDatasets operation to query dataset names.

For more information, see Create custom policies.

Examples

Grant full access

You can use a RAM policy to grant full access to IMM. The following sample code grants full access to IMM:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "imm:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Grant access using wildcard characters

You can use asterisks (*) in a RAM policy for batch authorization.

The following sample code grants read-only access permissions on all the projects that start with imm-test-doc in all the supported regions:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["imm:List*", "imm:Get*"],
            "Resource": "acs:imm:*:150910xxxxxxxxxx:project/imm-test-doc*"
        }
    ],
    "Version": "1"
}        

Grant specific access permissions on specific projects

The following sample code grants the permissions to:

  • Call the ListProjects operation.

  • Call the CreateOfficeConversionTask operation to convert the format of documents in the imm-test-doc-proj project in the China (Shanghai) region.

  • Call the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations on data in the imm-test-media-proj project in the China (Shanghai) region.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": ["imm:ListProjects"],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": ["imm:CreateOfficeConversionTask"],
                "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj"
            },
            {
                "Effect": "Allow",
                "Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"],
                "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj"
            }
        ],
        "Version": "1"
    }
    

Grant specific access permissions on specific datasets

The following sample code grants the permissions to:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["imm:ListDatasets"],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["imm:IndexFileMeta"],
            "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj/dataset/dataset1"
        },
        {
            "Effect": "Allow",
            "Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"],
            "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj/dataset/dataset1"
        }
    ],
    "Version": "1"
}