You can create Resource Access Management (RAM) users and grant the RAM users the permissions to access different resources. You can access ApsaraVideo Media Processing (MPS) as a RAM user to prevent security risks caused by AccessKey pair or password leaks. To allow a RAM user to use MPS, you must authorize the RAM user to access the following services based on your business requirements: MPS, Object Storage Service (OSS), RAM, Simple Message Queue (formerly MNS), and Alibaba Cloud CDN. This topic describes how to create a RAM user and authorize the RAM user to use MPS.
If a RAM user does not have the required permissions to use MPS, the User not authorized to operate on the specified resource error message is returned when you perform an operation on MPS as the RAM user. Check whether the RAM user has the full permissions on MPS. If the RAM user does not have the full permissions on MPS, grant the required permissions to the RAM user by performing the operations described in the following section.
Procedure
Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the
icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
Select OpenAPI Access for the Access Mode parameter.
Click OK and complete the security verification. An AccessKey pair is automatically generated for the RAM user.
Click Copy in the Actions column and save the copied user information, including the username, password, AccessKey ID, and AccessKey secret.
ImportantKeep the AccessKey pair secure. The AccessKey secret is displayed only when the RAM user is created. You cannot view the AccessKey secret after you close the creation page.
On the Users page, find the created RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, configure the parameters.
Configure the Resource Scope parameter to specify the authorization scope.
Valid value
Description
Account
The permissions granted to the RAM user take effect on resources within the current Alibaba Cloud account.
ResourceGroup
The permissions granted to the RAM user take effect only on resources in the specified resource group.
Configure the Principal parameter to specify a principal.
The principal is the RAM user to whom you want to grant permissions.
Select policies in the Policy section. For more information about the services that you need to authorize the RAM user to access and the supported policies, see the Policies section of this topic.
Use system policies
Click All Types and then select System Policy. Enter a policy name in the search box to search for the policy that you want to attach to the RAM user. Then, click the policy name to add the policy to the Selected Policy section.
Use custom policies
You can manage permissions in a fine-grained manner by using custom policies. After you create custom policies, you can search for and select the custom policies to attach the custom policies to the RAM user. For more information about how to create a custom policy, see the Create a custom policy section of this topic.
Click Grant permissions.
Policies
To use MPS as a RAM user, you must authorize the RAM user to access MPS and OSS. You can also authorize the RAM user to access Simple Message Queue (formerly MNS) and Alibaba Cloud CDN. You must use a system policy to grant permissions on MPS to the RAM user. You can use a system policy or custom policy to grant permissions on other services to the RAM user.
Service | Description | Required | System policy | Custom policy |
MPS | To allow a RAM user to use MPS, you must grant full permissions on MPS to the RAM user. | Yes | The AliyunMTSFullAccess system policy that has all read and write permissions on MPS. | Not supported. |
OSS | To allow a RAM user to use MPS, you must grant the read and write permissions on OSS to the RAM user. | Yes | The AliyunOSSFullAccess system policy that has all read and write permissions on OSS. | Supported. For more information, see the subsequent sections of this topic. |
Simple Message Queue (formerly MNS) | To use Simple Message Queue (formerly MNS) to subscribe to notifications about jobs, you must grant the read and write permissions on SMQ to the RAM user. | No | The AliyunMNSFullAccess system policy that has all read and write permissions on SMQ. | |
Alibaba Cloud CDN | To use Alibaba Cloud CDN to accelerate content delivery, you must grant the read and write permissions on Alibaba Cloud CDN to the RAM user. | No | The AliyunCDNFullAccess system policy that has all read and write permissions on CDN. |
Create a custom policy
Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab.
Enter the policy document in the code editor and click Next to edit policy information. Configure the basic information about the policy and click OK.
Parameter
Description
Policy content
You can import system policies or paste the code of the policy templates that are described in the following sections in the code editor.
Configure the parameters such as Name and Description.
Click OK.
Sample custom policy for restricting the IP addresses from which and the time periods within which the RAM user is allowed to access MPS
The RAM user can access MPS only from 192.0.2.0/24 and 203.0.113.2.
The RAM user can access MPS only before 17:00 on August 12, 2019 (UTC+8).
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"mts:*",
"mts-inner:*"
],
"Resource": "*",
"Condition": {
"NotIpAddress": {
"acs:SourceIp": [
"192.0.2.0/24",
"203.0.113.2"
]},
"DateLessThan": {
"acs:CurrentTime": "2019-08-12T17:00:00+08:00"
}
}
]
}Sample custom policy for OSS
Grant the RAM user the permissions to perform all operations on the specified input and output buckets.
Grant the RAM user the permissions to query the buckets.
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:$InputBucket",
"acs:oss:*:*:$InputBucket/*",
"acs:oss:*:*:$OutputBucket",
"acs:oss:*:*:$OutputBucket/*
]
}
]
}Parameter description
Parameter | Description |
oss:ListBuckets | The oss:ListBuckets permission is required for a RAM user to perform operations on OSS by using visualization tools. After the permission is granted to a RAM user, the RAM user can query all buckets. However, the RAM user can manage only the input and output buckets that are specified in the policy. The oss:ListBuckets permission applies only to all buckets. |
oss:* | All permissions on OSS. You can also replace "oss:*" with the following specific permissions based on your business requirements. "oss:GetObject", "oss:PutObject", "oss:GetObjectAcl", "oss:PutObjectAcl", "oss:AbortMultipartUpload", "oss:ListParts", "oss:RestoreObject", "oss:GetVodPlaylist", "oss:PostVodPlaylist", "oss:PublishRtmpStream", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:GetObjectVersionAcl", "oss:RestoreObjectVersion" |
$InputBucket | The bucket that stores the input file. |
$OutputBucket | The bucket that stores the output file. |
For more information, see Examples.
Sample custom policy for RAM
Grant the RAM user the permissions to query policies attached to RAM roles.
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"ram:ListPoliciesForRole"
],
"Resource": "*"
}
]
}Sample custom policy for SMQ
Grant the RAM user the permissions to query queues and topics.
Grant the RAM user the permissions to perform all read and write operations on the specified queues and topics.
{
"Version": "1",
"Statement": [{
"Effect":"Allow",
"Action":[
"mns:ListQueue",
"mns:ListTopic",
"mns:GetQueueAttributes",
"mns:GetTopicAttributes"
],
"Resource":"acs:mns:*:*:*"
}, {
"Effect": "Allow",
"Action": "mns:*",
"Resource": [
"acs:mns:$Region:$Uid:/queues/$QueueName",
"acs:mns:$Region:$Uid:/topics/$TopicName"
]
}
]
}Parameter description
Parameter | Description |
$QueueName | The name of the SMQ queue to be associated with an MPS queue or a workflow. |
$TopicName | The name of the SMQ topic to be associated with an MPS queue or a workflow. |
For more examples, see Permission policies and examples.
Sample custom policy for Alibaba Cloud CDN
Grant the RAM user the permissions to query all CDN-accelerated domain names.
Grant the RAM user the permissions to perform all read and write operations on the specified CDN-accelerated domain names.
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": "cdn:*",
"Resource": "acs:cdn:*:$Uid:domain/$DomainName"
},{
"Effect": "Allow",
"Action": "cdn:Describe*",
"Resource": "*"
}
]
}Parameter description
Parameter | Description |
$DomainName | The CDN-accelerated domain name. |
What to do next
After you create a RAM user and grant permissions to the RAM user, you can log on to the Alibaba Cloud Management Console as the RAM user. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.