This topic describes how to create a RAM role and grant permissions to the RAM role before you use the role to decrypt and play videos.

Prerequisites

A RAM user is created and has permissions to access Media Processing Service (MPS). For more information, see Create and grant permissions to a RAM user.

Create a role

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. Specify the RAM Role Name and Note parameters.
  6. Select Current Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account field and click OK.
    Note If you select Other Alibaba Cloud Account, you must enter the ID of the Alibaba Cloud account.

Grant permissions to a role

  1. Grant permissions to the RAM role.
    1. On the Roles page, find the RAM role you create and click Add Permissions in the Actions column.
    2. In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account.
      Authorized scope Description
      Alibaba Cloud Account The permissions granted to the RAM user take effect on resources within the current Alibaba Cloud account.
      Specific Resource Group The permissions granted to the RAM user take effect on resources in the specified resource group.
    3. In the Principal field, the system automatically enters the name of the current RAM role.
    4. In the Select Policy section, click System Policy, select one or more required policies in the policy list, and then click OK. The policies are attached to the RAM role. Click Complete.
      Note If you want to grant, modify, or revoke the Security Token Service (STS) permissions of a RAM user, perform this step and configure the settings as required.
  2. Associate the RAM user with the RAM role.
    1. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy.
    2. On the Create Policy page, click the JSON tab.
    3. In the code editor, assign the value of the ARN parameter you obtained to the Resource parameter. Specify the Action parameter based on your needs. Click Next.
    4. In the Basic Information section of the Create Policy page, enter a policy name in the Name field and click OK.
    5. In the left-side navigation pane, choose Identities > Users.
    6. Find the RAM user you create and click Add Permissions in the Actions column.
    7. In the Select Policy section of the Add Permissions panel, click Custom Policy, select the required policies in the policy list, and then click OK. The permissions are granted.