All Products
Search

This Product

    Intelligent Media Services:Use OSS materials across accounts by adding bucket policies

    Document Center

    Intelligent Media Services:Use OSS materials across accounts by adding bucket policies

    Last Updated:Nov 01, 2024

    By default, resources in Alibaba Cloud Object Storage Service (OSS) are private. If your partners want to use your OSS resources for media asset editing, you can add a bucket policy to authorize them to access the OSS bucket in which the OSS resources are stored.

    Background information

    Company B needs to use the files of Company A stored in an OSS bucket as editing materials. However, Company A does not want to set the OSS bucket to a public-read bucket or copy the files to Company B. In this case, Company A can add a bucket policy to authorize Company B to access the OSS bucket. Then, Company B can reference these materials stored in the OSS bucket in the timeline.

    Add a bucket policy to authorize a user to access an OSS bucket

    Intelligent Media Services (IMS) assumes the AliyunICEDefaultRole role to access OSS objects of customers. Company A authorizes Company B to access an OSS bucket. This way, the AliyunICEDefaultRole role of Company B can access the OSS bucket of Company A. Company A performs the following steps:

    1. Obtain the ID of an Alibaba Cloud account that belongs to Company B.

      Company B logs on to the Alibaba Cloud Management Console by using an Alibaba Cloud account, moves the pointer over the profile picture in the upper-right corner of the console homepage, and then views and records the ID of the Alibaba Cloud account.

    1. Authorize the AliyunICEDefaultRole role of Company B to access the resources in an OSS bucket.

      1. Log on to the OSS console.

      2. On the Buckets page, click the name of the bucket that you want to manage.

      3. In the left-side navigation tree, choose Permission Control > Bucket Policy.

      4. On the Bucket Policy tab, click Add in GUI and then click Authorize.

      5. In the Authorize panel, set the Authorized User parameter to Other Accounts and enter the following role ID with the "Alibaba Cloud account ID of Company B" variable replaced by the ID obtained in Step 1:

        arn:sts::Alibaba Cloud account ID of Company B:assumed-role/AliyunICEDefaultRole/*

      6. Configure other parameters. For more information, see Configure bucket policies to authorize other users to access OSS resources.

      7. Click OK.

    Advanced configurations

    • Multi-account authorization: After you set the Authorized User parameter to Other Accounts, you can enter multiple IDs in the Other Accounts field. This way, the owners of multiple Alibaba Cloud accounts are authorized to access the resources stored in the OSS bucket for media asset editing.

    • Operation permissions: If you set the Authorized Operation parameter to Read-Only (excluding ListObject) or Read-Only (including ListObject), Company B can use the materials in the OSS bucket only as input resources. If you set the Authorized Operation parameter to Read/Write, Company B can write the output video to the OSS bucket.