All Products
Search

This Product

    Intelligent Media Services:Create a RAM user and grant permissions to the RAM user

    Document Center

    Intelligent Media Services:Create a RAM user and grant permissions to the RAM user

    Last Updated:Oct 17, 2024

    A Resource Access Management (RAM) user is a physical identity. You can create RAM users for an Alibaba Cloud account and authorize the RAM users to access different resources.

    Prerequisites

    An Alibaba Cloud account is created, and real-name verification is complete. To create an Alibaba Cloud account, go to the Sign up to Alibaba Cloud page. For more information, see Create an Alibaba Cloud account.

    Procedure

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. Select OpenAPI Access for the Access Mode parameter.

    6. Click OK and complete the security verification. An AccessKey pair is automatically generated for the RAM user.

    7. Click Copy in the Actions column and save the copied user information including the AccessKey ID and AccessKey secret.

      Important

      Keep the AccessKey pair secure. The AccessKey secret is displayed only when the RAM user is created. You cannot view the AccessKey secret after you close the creation page.

    8. On the Users page, find the created RAM user and click Add Permissions in the Actions column.

    9. In the Grant Permission panel, grant permissions to the RAM user.

      1. Specify the authorization scope.

        Set the Resource Scope parameter to Account. Intelligent Media Services (IMS) does not allow you to set the Resource Scope parameter to ResourceGroup. For more information about resource groups, see Differences and relationships among the Resource Directory, Resource Group, and Tag services.

      2. Specify the principal.
        The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.

      3. Select policies in the Policy section.

        • Use system policies

          Select System Policy from the drop-down list, enter AliyunICE in the search box, and then select system policies based on your business requirements.

          Policy

          Description

          API operation

          AliyunICEFullAccess

          Permissions to manage and operate all IMS resources

          This policy grants permissions on all operations of IMS.

          AliyunICEReadOnlyAccess

          Read-only permissions on all IMS resources

          This policy grants permissions on all read-only operations of IMS, such as Get, Describe, Search, and List operations.

        • Use custom policies

          Select Custom Policy from the drop-down list and select custom policies based on your business requirements. If no custom policies are available, click Create Policy. For more information, see Create custom policies or the Sample custom policies section of this topic.

        Note

        • You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, repeat the operation.

        • To control risks, we recommend that you abide by the principle of least privilege.

        • If you want to use IMS SDK for iOS or Android, you must specify the AliyunOSSFullAccess policy or a custom Object Storage Service (OSS) policy based on your business requirements. This is because the SDK needs to upload files to OSS.

      4. Click Grant permissions.

    10. Optional. Authorize the RAM user to log on to the Alibaba Cloud Management Console. For more information, see the "Enable console logon for a RAM user" section of the Manage console logon settings for a RAM user topic.

    Sample custom policies

    This section describes only the parameters of the sample policy for granting the read-only permissions on some IMS resources. The parameters of other sample policies in this section are not described because the parameters are similar.

    • Grant the read-only permissions on some IMS resources

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ice:GetMediaProducingJob",
        "ice:GetEditingProject",
        "ice:GetMediaInfo",
        "ice:ListMediaBasicInfos",
        "ice:SearchEditingProject"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "192.168.0.1"
        }
      }
    }
  ]
}

      Parameter description

      Parameter

      Required

      Description

      Version

      Yes

      The policy version. Set the value to 1 for IMS.

      Statement

      Yes

      The statement. A single policy can contain multiple statements. Each statement contains the following elements: Action, Resource, Effect, and Condition.

      Action

      Yes

      The action. Each action corresponds to an API operation. Specify the value in the ice:API operation name format. Separate multiple actions with commas (,). You can specify multiple actions to configure a permission group.

      Resource

      Yes

      The one or more IMS resources that can be accessed by authorized users. Asterisks (*) can be used as wildcards. Specify the value in the acs:ice:<regionId>:<accountId>:* format. The Resource parameter can also have multiple values, which means multiple resources. The regionId field is not supported. Set the regionId field to *. IMS does not classify resources. We recommend that you set the Resource parameter to an asterisk (*) or acs:ice:*:*:* if you want to grant permissions on media assets.

      Effect

      Yes

      Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny. The system checks the statements one by one for each request. If the value of the Effect parameter is Allow in all matched statements, the request is allowed. If the value of the Effect parameter is Deny in one matched statement or no statements are matched, the request is denied.

      Important

      If a policy includes both an Allow statement and a Deny statement, the Deny statement takes precedence over the Allow statement.

      Condition

      No

      The access control conditions of the policy. For more information, see the "Condition" section of the Policy elements topic.

    • Grant the read-only permissions on all IMS resources

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ice:Get*",
        "ice:List*",
        "ice:Search*",
        "ice:Describe*"
      ],
      "Resource": "acs:ice:*:*:*",
      "Effect": "Allow"
    }
  ]
}

    • Grant full permissions including the write permissions on IMS resources

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ice:*",
      "Resource": "acs:ice:*:*:*"
    }
  ],
  "Version": "1"
}

    References