Intelligent Media Services (IMS) uses AccessKey pairs to verify the identities of users who call API operations of IMS. This effectively prevents unauthorized requests. This topic describes the different types of AccessKey pairs and the difference among these types of AccessKey pairs.
AccessKey pair types
IMS verifies the identity of the caller for each API request. IMS uses an AccessKey pair that consists of an AccessKey ID and an AccessKey secret to verify whether the account of a user has the permissions to call an operation. The following types of AccessKey pairs are supported:
AccessKey pair of an Alibaba Cloud account
You can use the AccessKey pairs of the Alibaba Cloud account that is used to activate IMS to access IMS resources. An Alibaba Cloud account can have a maximum of five AccessKey pairs, including enabled and disabled AccessKey pairs. Each AccessKey pair of the Alibaba Cloud account has full permissions on the resources that belong to the Alibaba Cloud account. You can log on to the Resource Access Management (RAM) console to create or delete AccessKey pairs. Each AccessKey pair can be enabled or disabled. Only enabled AccessKey pairs can be used to verify user identities.
ImportantAn AccessKey pair of an Alibaba Cloud account has full access to all resources within the account. AccessKey pair leaks pose critical threats to the resources within an Alibaba Cloud account. We recommend that you do not use the AccessKey pairs of Alibaba Cloud accounts to access IMS resources.
AccessKey pair of a RAM user
RAM is a resource access control service that is provided by Alibaba Cloud. An AccessKey pair of a RAM user is granted permissions in RAM. The AccessKey pair can be used to access IMS resources based only on the rules defined by RAM. You can use RAM to manage users such as employees, systems, and applications in a centralized manner and control the access permissions of users on your resources. RAM users are subordinate to Alibaba Cloud accounts and own no resources. All resources belong only to Alibaba Cloud accounts. You can log on to the RAM console to create a RAM user and grant permissions to the RAM user. For more information, see Create a RAM user and grant permissions to the RAM user.
STS temporary AccessKey pair
Security Token Service (STS) is an Alibaba Cloud service that provides temporary access credentials. An STS temporary AccessKey pair is an AccessKey pair issued by STS and is valid only within a specific period of time. The AccessKey pair can be used to access IMS resources based only on the rules defined by STS and expires after the validity period elapses. You can log on to the RAM console to create a RAM role and use STS to authorize temporary access. For more information, see Create a RAM role and use STS to authorize temporary access.
Comparison among different types of AccessKey pairs
AccessKey pair type | Risk level | Permission | Validity period | Scenario |
AccessKey pair of an Alibaba Cloud account | Very high | Permissions to manage and operate all IMS resources | Permanently valid after the AccessKey pair is enabled | The super administrator uses an AccessKey pair of an Alibaba Cloud account to perform operations. We recommend that you do not use the AccessKey pairs of an Alibaba Cloud account in programs, especially on clients. |
AccessKey pair of a RAM user | High | Permissions that are granted based on policies | Permanently valid after the AccessKey pair is enabled | An AccessKey pair of a RAM user is used to authorize the RAM user to perform operations such as registering media assets, querying media assets, submitting production tasks, and querying production tasks. You can create multiple RAM users to prevent AccessKey pair leaks. For example, AccessKey pair leaks may occur if an employee resigns. In this case, you can delete the RAM user created for the employee to prevent the leak risks. We recommend that you use the AccessKey pairs of a RAM user on servers. |
STS temporary AccessKey pair | Low | Permissions that are granted based on policies | Valid until the specified validity period elapses | You can use STS temporary AccessKey pairs on mobile or web clients. You must deploy a server to generate STS temporary AccessKey pairs, and take appropriate actions when the temporary AccessKey pairs expire. |
Policies
IMS provides the following system policies. You can select a policy to grant permissions to RAM users based on your business requirements.
Policy | Description | API operation |
AliyunICEFullAccess | Permissions to manage and operate all IMS resources | This policy grants permissions on all operations of IMS. |
AliyunICEReadOnlyAccess | Read-only permissions on all IMS resources | This policy grants permissions on all read-only operations of IMS, such as Get, Describe, Search, and List operations. |
If the permissions that are granted based on the system policies cannot meet your requirements, you can use custom policies. For more information, see the "Use custom policies" section of the Create a RAM user and grant permissions to the RAM user topic.