ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on their AccessKey pairs. ApsaraVideo Live supports authorization by using the AccessKey pairs of Alibaba Cloud accounts and RAM users. This topic compares the two authorization methods. This topic also describes the system policies that are provided by Alibaba Cloud and custom policies.
Introduction
You can use the API operations or SDKs that are provided by ApsaraVideo Live to access ApsaraVideo Live. ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on their AccessKey pairs.
You can use the Resource Access Management (RAM) service to grant RAM users the permissions to use the ApsaraVideo Live console.
Terms of RAM
RAM
RAM is an Alibaba Cloud service that allows you to manage user identities and control access to your resources. For more information, see What is RAM?
NoteThe RAM service isolates and manages permissions rather than resources. RAM users are subordinate to Alibaba Cloud accounts and own no resources. All resources belong only to Alibaba Cloud accounts.
Alibaba Cloud account
Alibaba Cloud accounts are the owners of Alibaba Cloud resources. An Alibaba Cloud account is charged for the usage of all resources within the account and has full permissions on the resources.
RAM user
RAM users are created in Alibaba Cloud accounts. Each RAM user of an Alibaba Cloud account has its own AccessKey pair and can perform authorized operations in the same way as the Alibaba Cloud account. A RAM user can be considered a user who has specific operation permissions.
Policy
A RAM policy is a set of permissions that are described based on the policy structure and syntax. You can configure policies to control on which resources and under which conditions an identity can perform specific operations. You can configure RAM policies and grant specific permissions to users or user groups to control their access to the resources or services in your Alibaba Cloud account. For example, you can grant users only the permissions to upload, play, or review media resources.
AccessKey pair
An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey pair is used to authenticate access identities. ApsaraVideo Live uses AccessKey pairs to implement symmetric encryption and identity verification.
AccessKey ID: used to identify a user.
AccessKey secret: used to encrypt and verify a signature string. You must keep your AccessKey secret confidential.
NoteAn AccessKey secret is displayed only when you create the AccessKey pair, and is unavailable for subsequent queries. Record the AccessKey secret for future use.
AccessKey pair: consists of an AccessKey ID and an AccessKey secret.
For more terms about RAM, see Terms.
Comparison between the authentication methods
The following two types of AccessKey pairs are available for use in ApsaraVideo Live:
AccessKey pairs of Alibaba Cloud accounts
An Alibaba Cloud account, which is registered with Alibaba Cloud, can be used to activate ApsaraVideo Live. Each AccessKey pair of the account has full permissions on resources that are owned by the account. An Alibaba Cloud account can have up to five enabled or disabled AccessKey pairs. You can create or delete an AccessKey pair in the RAM console. Only enabled AccessKey pairs can be used for identity verification.
WarningAn AccessKey pair of your Alibaba Cloud account has full permissions and poses high risks for data leakage if it is disclosed. Therefore, we recommend that you not use the AccessKey pairs of your Alibaba Cloud account to access ApsaraVideo Live.
AccessKey pairs of RAM users
RAM is a resource access control service provided by Alibaba Cloud. The AccessKey pairs of RAM users are authorized in RAM. They can be used to access ApsaraVideo Live resources only based on the rules that are defined in RAM. You can use RAM to manage users such as employees, systems, and applications, and control the permissions of users to access your resources. For example, you can use RAM to grant your users only the permissions to play videos. RAM users are subordinate to Alibaba Cloud accounts and do not own actual resources. All resources belong only to Alibaba Cloud accounts.
You can log on to the RAM console to create RAM users, obtain AccessKey pairs, and grant permissions to the RAM users. For more information, see Create a RAM user and grant permissions to the RAM user.
Comparison table
Authentication method | Risk | Permission | Validity | Scenario |
AccessKey pairs of Alibaba Cloud accounts | Very high | Permissions on managing all resources in ApsaraVideo Live | Always valid after being enabled | The super administrator uses the AccessKey pairs of the Alibaba Cloud account to perform operations. We recommend that you not use these AccessKey pairs in programs, especially on clients. |
AccessKey pairs of RAM users | Low | Permissions that are granted based on policies | Always valid after being enabled | You use the AccessKey pairs of RAM users to authorize specific operations such as management. You can create multiple spare RAM users in case of potential AccessKey pair leakage, for example, when the owner of a RAM user resigns. We recommend that you use these AccessKey pairs on servers. |
Policies
You can use policies to grant only the required permissions to RAM users. Alibaba Cloud allows you use system policies or custom policies.
System policies
The following table lists the three system policies that may be used in ApsaraVideo Live.
Policy
Description
Operation permissions
AliyunLiveFullAccess
Management permissions on ApsaraVideo Live
This policy includes the permissions on all operations in the ApsaraVideo Live console and all API operations of ApsaraVideo Live.
AliyunLiveReadOnlyAccess
Read-only permissions on ApsaraVideo Live
This policy includes the permissions on all read operations and all API operations that are used to read resources, such as the API operations starting with Describe.
AliyunMTSFullAccess
Management permissions on ApsaraVideo Media Processing (MPS)
This policy includes the permissions on all operations in the MPS console and all API operations of MPS.
Custom policies
If the system policies cannot meet your business requirements, you can create custom policies to implement fine-grained permission control. For more information, see Create a custom policy.
Common authorization practices
This section describes some common authorization practices for ApsaraVideo Live.
If you want to use ApsaraVideo Live as a RAM user, you must authorize the RAM user to use the built-in AliyunLiveFullAccess policy or create a custom policy that grants the required permissions.
If you want to store live stream recordings and snapshots in Object Storage Service (OSS) buckets, you must authorize ApsaraVideo Live to access OSS. In this case, assign the AliyunMTSDefaultRole role to your account. You can click here to complete the authorization.
NoteWhen you activate ApsaraVideo Live, the system considers that you authorize ApsaraVideo Live to write data to your OSS buckets by default. Therefore, ApsaraVideo Live has the permissions to store recordings in the bucket that you specify. If the permissions are accidentally removed, you can grant the permissions again.
If you want to delete snapshots that are stored in OSS by using the ApsaraVideo Live console or API, you must create the service-linked role AliyunMTSVideoLifecycleRole and attach the AliyunMTSVideoLifecycleRolePolicy policy to the role. For more information, see Delete snapshots in the ApsaraVideo Live console.
If you want to delete recordings that are stored in OSS by using the ApsaraVideo Live console or API, you must create the service-linked role AliyunMTSVideoLifecycleRole and attach the AliyunMTSVideoLifecycleRolePolicy policy to the role. For more information, see Delete recordings.