The permission management mechanisms of Alibaba Cloud include Resource Access Management (RAM) and Security Token Service (STS). You can access Intelligent Media Management (IMM) as a RAM user with intended permissions or by using temporary access credentials that are provided by STS. RAM and STS make permission management and access control more flexible and secure.
Background information
One of the core benefits of RAM and STS is that they help improve account security by allowing temporary access to data within an Alibaba Cloud account without exposing the AccessKey pair of the account. An attacker that has the AccessKey pair of an Alibaba Cloud account has access to all resources within the account and can cause significant security consequences.
RAM
RAM is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM allows you to create and manage multiple identities for an Alibaba Cloud account, and grant permissions to a single identity or a group of identities. This way, you can authorize different identities to access different Alibaba Cloud resources. For more information, see What is RAM?
RAM provides a long-term permission management mechanism by creating RAM users and granting them different permissions. This way, if an AccessKey pair of a RAM user is leaked, only limited information is leaked. RAM users generally remain valid for a long period of time. The AccessKey pairs of RAM users must be kept confidential.
STS
STS allows you to manage temporary access to your Alibaba Cloud resources. You can use STS to grant temporary access tokens with custom validity periods and access permissions to RAM entities such as RAM users and RAM roles. For more information, see What is STS?
In contrast to the long-term permission management mechanism provided by RAM, STS provides temporary access authorization by using a temporary AccessKey pair and token to allow temporary access to IMM. STS grants strict access permissions that remain valid within a limited period of time. Therefore, even if access credentials are leaked, your system is not severely affected.
Grant permissions to a RAM user
To improve data security and permission control, we recommend that you use the IMM service as a RAM user.
Create a RAM user. For more information, see Create a RAM user.
Grant permissions to the RAM user based on your business requirements. For more information, see Grant permissions to a RAM user.
If you want to manage the IMM service, such as creating projects, attach the AliyunIMMFullAccess policy to the RAM user.
If you need only the read-only permissions on the IMM service to view information such as projects, attach the AliyunIMMReadOnlyAccess policy to the RAM user.
Enable multi-factor authentication (MFA) for the RAM user. For more information, see Bind an MFA device to a RAM user.
Grant temporary access
Create a temporary role and grant permissions to the role.
Create a RAM role for a trusted Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Create a custom policy. For more information, see Create custom policies.
NoteTo implement fine-grained permission control, you can customize the permissions of a policy. For more information, see Custom policies for IMM
Grant permissions to the temporary role. For more information, see Grant permissions to a RAM role.
Grant temporary access permissions.
Create a custom policy. For more information, see Create custom policies.
Grant permissions to the temporary role that the RAM user assumes. For more information, see Grant permissions to a RAM user.
Obtain temporary access credentials from STS. For more information, see AssumeRole.
Use temporary permissions to read and write data.
You can use the temporary permissions to call the SDKs for different programming languages to access IMM. The following sample code provides an example on how to use IMM SDK for Java to create an IAcsClient object based on the AccessKey ID, AccessKey secret, and token obtained from STS:
DefaultProfile profile = DefaultProfile.getProfile("cn-shanghai", stsAccessKeyId, stsAccessKeySecret, stsToken); IAcsClient client = new DefaultAcsClient(profile);
Configure a custom RAM policy
You can use custom RAM policies to control user permissions. The following table describes the main components of a RAM policy.
Parameter | Description |
Effect | The effect on a requested action. Valid values:
|
Action | The IMM API operation. The value of this parameter follows the |
Resource | IMM has only project resources in the
|
For more information, see Create custom policies.
Examples
Grant full access
You can use a RAM policy to grant full access to IMM. The following sample code grants full access to IMM:
{
"Version": "1",
"Statement": [
{
"Action": "imm:*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Grant access using wildcard characters
You can use asterisks (*
) in a RAM policy for batch authorization.
The following sample code grants read-only access permissions on all the projects that start with imm-test-doc
in all the supported regions:
{
"Statement": [
{
"Effect": "Allow",
"Action": ["imm:List*", "imm:Get*"],
"Resource": "acs:imm:*:150910xxxxxxxxxx:project/imm-test-doc*"
}
],
"Version": "1"
}
Grant specific access permissions on specific projects
The following sample code grants the permissions to:
Call the ListProjects operation.
Call the CreateOfficeConversionTask operation to convert the format of documents in the imm-test-doc-proj project in the China (Shanghai) region.
Call the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations on data in the imm-test-media-proj project in the China (Shanghai) region.
{ "Statement": [ { "Effect": "Allow", "Action": ["imm:ListProjects"], "Resource": "*" }, { "Effect": "Allow", "Action": ["imm:CreateOfficeConversionTask"], "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj" }, { "Effect": "Allow", "Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"], "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj" } ], "Version": "1" }
Grant specific access permissions on specific datasets
The following sample code grants the permissions to:
Call the ListDatasets operation.
Call the IndexFileMeta operation on the dataset1 dataset of the imm-test-media-proj project in the China (Shanghai) region.
Call the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations on the dataset1 dataset of the imm-test-media-proj project in the China (Shanghai) region.
{
"Statement": [
{
"Effect": "Allow",
"Action": ["imm:ListDatasets"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["imm:IndexFileMeta"],
"Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj/dataset/dataset1"
},
{
"Effect": "Allow",
"Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"],
"Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj/dataset/dataset1"
}
],
"Version": "1"
}