Intelligent Media Services:Create a RAM role and use STS to authorize temporary access

Step 1: Create a RAM user and authorize the RAM user to call the AssumeRole operation

1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

2. In the left-side navigation pane, choose Identities > Users.

3. On the Users page, click Create User.

4. In the User Account Information section of the Create User page, configure the following parameters:

   • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

   • Display Name: The display name can be up to 128 characters in length.

   • Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

   Note

   You can click Add User to create multiple RAM users at a time.

5. Select OpenAPI Access for the Access Mode parameter.

6. Click OK and complete the security verification. An AccessKey pair is automatically generated for the RAM user.

7. Click Copy in the Actions column and save the copied user information including the AccessKey ID and AccessKey secret.

   Important

   Keep the AccessKey pair secure. The AccessKey secret is displayed only when the RAM user is created. You cannot view the AccessKey secret after you close the creation page.

8. On the Users page, find the created RAM user and click Add Permissions in the Actions column.

9. In the Grant Permission panel, grant permissions to the RAM user.

   1. Specify the authorization scope.

      Set the Resource Scope parameter to Account. IMS does not allow you to set the Resource Scope parameter to ResourceGroup. For more information about resource groups, see Differences and relationships among the Resource Directory, Resource Group, and Tag services.

   2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

   3. Select a policy in the Policy section.

      Select System Policy from the drop-down list, enter AliyunSTS in the search box, and then select the AliyunSTSAssumeRoleAccess policy.

   4. Click Grant permissions.

Step 2: Create a RAM role and authorize the RAM role to operate IMS resources

1. Log on to the RAM console as a RAM user who has administrative rights.

2. In the left-side navigation pane, choose Identities > Roles.

3. On the Roles page, click Create Role.

4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.

5. Configure parameters for the RAM role.

   1. Specify RAM Role Name.

   2. Specify Note.

   3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account section.

      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.

      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.

        You can view the ID of your Alibaba Cloud account on the Security Settings page.

      Important

      If you want a specific RAM user instead of all RAM users that belong to your Alibaba Cloud account to assume the RAM role, you can use one of the following methods:

      • Modify the trust policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.

      • Modify the role-assuming policy that is attached to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?

6. Click OK.

7. Click Add Permissions to RAM role.

8. In the Grant Permission panel, grant permissions to the RAM role.

   1. Specify the authorization scope.

      Set the Resource Scope parameter to Account. IMS does not allow you to set the Resource Scope parameter to ResourceGroup. For more information about resource groups, see Differences and relationships among the Resource Directory, Resource Group, and Tag services.

   2. Specify the principal.

      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.

   3. Select policies in the Policy section.

      • Use system policies

        Select System Policy from the drop-down list, enter AliyunICE in the search box, and then select system policies based on your business requirements.

        Policy	Description	API operation
        AliyunICEFullAccess	Permissions to manage and operate all IMS resources	This policy grants permissions on all operations of IMS.
        AliyunICEReadOnlyAccess	Read-only permissions on all IMS resources	This policy grants permissions on all read-only operations of IMS, such as Get, Describe, Search, and List operations.

      • Use custom policies

        Select Custom Policy from the drop-down list and select custom policies based on your business requirements. If no custom policies are available, click Create Policy. For more information, see Create custom policies or the Sample custom policies section of this topic.

      Note

      • You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, repeat the operation.

      • To control risks, we recommend that you abide by the principle of least privilege.

      • If you want to use IMS SDK for iOS or Android, you must specify the AliyunOSSFullAccess policy or a custom Object Storage Service (OSS) policy based on your business requirements. This is because the SDK needs to upload files to OSS.

   4. Click Grant permissions.

Step 3: Use the created RAM user to call the AssumeRole operation to obtain a temporary AccessKey pair

1. Download and integrate STS SDK. For more information about how to download STS SDK, see STS SDK overview.

2. Call the AssumeRole operation to assume the created RAM role and obtain an STS temporary AccessKey pair.

   In this example, sample code in Java is provided. For more information about sample code in other programming languages, see STS SDK overview.

   Java

   import com.aliyun.credentials.Client;
   import com.aliyuncs.DefaultAcsClient;
   import com.aliyuncs.IAcsClient;
   import com.aliyuncs.exceptions.ClientException;
   import com.aliyuncs.http.MethodType;
   
   import com.aliyun.teaopenapi.models.Config;
   import com.aliyuncs.profile.DefaultProfile;
   import com.aliyuncs.profile.IClientProfile;
   import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
   import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
   
   /**
    * @author xxx
    * @date 2022/12/25
    */
   public class TestStsService {
   
       public static void main(String[] args) throws Exception {
           // Only a RAM user can call the AssumeRole operation.
           // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
           // An AccessKey pair of an Alibaba Cloud account has access permissions on all API operations. We recommend that you use an AccessKey pair of a RAM user to call API operations or perform routine O&M. 
           // In this example, the AccessKey ID and the AccessKey secret are obtained from the environment variables. 
           String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
           String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
   
           // To hard-code your AccessKey ID and AccessKey secret, use the following code. However, We recommend that you do not save the AccessKey ID and the AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of resources within your account may be compromised. 
           // config.accessKeyId = <yourAccessKeyId>;
           // config.accessKeySecret = <yourAccessKeySecret>;
           // Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds.
           // You must obtain the value of the RoleArn parameter in the RAM console.
           //String roleArn = "<role-arn>";
           String roleArn = "<role-arn>";
           // The RoleSessionName parameter specifies the name of the session for the temporary token. You can use this parameter to identify users in audit or identify users to whom you want to issue tokens.
           // However, you must take note of the length and naming conventions of the RoleSessionName parameter. The value of the RoleSessionName parameter can contain only letters, digits, hyphens (-), and underscores (_), and cannot contain spaces.
           // For more information about the naming conventions, see the format requirements in the API reference.
           String roleSessionName = "session-name";// Specify a custom session name.
           // Specify a policy.
           String policy = "{\n" +
                   "  \"Version\": \"1\",\n" +
                   "  \"Statement\": [\n" +
                   "    {\n" +
                   "      \"Action\": \"ice:*\",\n" +
                   "      \"Resource\": \"*\",\n" +
                   "      \"Effect\": \"Allow\"\n" +
                   "    }\n" +
                   "  ]\n" +
                   "}";
           try {
               AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
               System.out.println("Expiration: " + response.getCredentials().getExpiration());
               System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
               System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
               System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
               System.out.println("RequestId: " + response.getRequestId());
   
           } catch (ClientException e) {
               System.out.println("Failed to get a token.");
               System.out.println("Error code: " + e.getErrCode());
               System.out.println("Error message: " + e.getErrMsg());
           }
       }
   
       static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
           try {
               // Construct a default profile. Leave the parameters empty. The regionId parameter is not required.
           /*
           Note: If you set the SysEndpoint parameter to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the region in which you use STS. Example: cn-shanghai.
           For more information, see the STS endpoints in different regions. 
            */
               IClientProfile profile = DefaultProfile.getProfile("cn-shanghai", accessKeyId, accessKeySecret);
               // Use the profile to construct a client.
               DefaultAcsClient client = new DefaultAcsClient(profile);
               // Create an AssumeRole request and configure the request parameters.
               final AssumeRoleRequest request = new AssumeRoleRequest();
               request.setSysEndpoint("sts.aliyuncs.com");
               request.setSysMethod(MethodType.POST);
               request.setRoleArn(roleArn);
               request.setRoleSessionName(roleSessionName);
               request.setPolicy(policy);
               // Initiate the request and obtain the response.
               final AssumeRoleResponse response = client.getAcsResponse(request);
               return response;
           } catch (ClientException e) {
               throw e;
           }
       }
   }

References

AssumeRole