ApsaraVideo VOD authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on AccessKey pairs. ApsaraVideo VOD supports authentication based on AccessKey pairs of Alibaba Cloud accounts, AccessKey pairs of RAM users, and Security Token Service (STS) temporary AccessKey pairs. This topic compares these authentication methods and describes the system policies that are provided by Alibaba Cloud.
Identity authentication
You can access ApsaraVideo VOD by using the APIs or SDKs provided by ApsaraVideo VOD. The SDKs include the upload SDK, ApsaraVideo Player SDK, and short video SDK.
For each request, ApsaraVideo VOD authenticates the identity of the user and checks whether the user has the permissions to perform the operation. AccessKey pairs are used in identity authentication.
Terms
RAM
Resource Access Management (RAM) is an Alibaba Cloud service that allows you to manage user identities and control access to your resources. For more information, see What is RAM?
NoteThe RAM service isolates and manages permissions rather than resources. RAM users are subordinate to Alibaba Cloud accounts and do not own actual resources. All resources belong only to Alibaba Cloud accounts. If you want to isolate resources, you can use the multi-application system of ApsaraVideo VOD. For more information, see Overview.
Alibaba Cloud account
The Alibaba Cloud account is the owner of Alibaba Cloud resources. The Alibaba Cloud account is charged for the usage of all resources that it owns. The Alibaba Cloud account has full control over the resources.
RAM user
RAM users are created in Alibaba Cloud accounts. Each RAM user of an Alibaba Cloud account has its own AccessKey pair and can perform authorized operations in the same way as the Alibaba Cloud account. A RAM user can be considered a user who has specific operation permissions.
role
Roles are identities to which permission policies are attached. Roles do not have logon passwords or AccessKey pairs. Roles can be assigned to a RAM user. When a RAM user is assigned a role, the permissions of the role are granted to the RAM user.
NoteThe relationship between RAM users and their roles is similar to the relationship between individuals and their identities. For example, an individual may be assigned the roles of an employee at work and a father at home. An individual may be assigned different roles in different scenarios. If an individual is assigned a specific role, the individual is granted the permissions of that role. A role is not an operational entity. A role is a complete operational entity only after the role is assigned to a user.
A role can be assigned to multiple users at the same time. The user who is assigned a role is automatically granted all permissions of the role.
RAM policy
A RAM policy is a set of permissions that are described based on the policy structure and syntax. You can configure policies to control which operations an identity can perform, on which resources, and under what conditions. You can configure RAM policies and grant specific permissions to users or user groups to control their access to the resources or services in your Alibaba Cloud account. For example, you can grant users only the permissions to upload, play, or review media resources.
For more information about the concepts of access control, see Terms.
AccessKey pair
An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey pair is used to authenticate user identities. ApsaraVideo VOD uses AccessKey pairs in symmetric encryption to authenticate user identities.
AccessKey IDs are used to identify users.
AccessKey secrets are used to encrypt and verify signature strings. You must keep your AccessKey secret confidential.
An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
You can use the following types of AccessKey pairs to access ApsaraVideo VOD:
AccessKey pairs of Alibaba Cloud accounts
AccessKey pairs of Alibaba Cloud accounts are AccessKey pairs of accounts that are used to activate ApsaraVideo VOD or accounts that are registered with Alibaba Cloud. The AccessKey pair of each Alibaba Cloud account allows full access to resources that are owned by the account. Each Alibaba Cloud account can have up to five AccessKey pairs that are in the enabled or disabled state.
You can apply to add or delete your AccessKey pairs in the Alibaba Cloud Management Console. Each AccessKey pair may be in the enabled or disabled state. Only enabled AccessKey pairs can be used for identity authentication.
WarningAccessKey pairs of Alibaba Cloud accounts allow full access to all resources and pose high risks for data leaks if the AccessKey pairs are disclosed. We recommend that you do not use the AccessKey pairs of Alibaba Cloud accounts to access ApsaraVideo VOD.
AccessKey pairs of RAM users
RAM is a resource access control service provided by Alibaba Cloud. The AccessKey pairs of RAM users are authorized in RAM. They can be used to access ApsaraVideo VOD resources only based on the rules defined by RAM. You can use RAM to manage users such as employees, systems, and applications, and control the permissions of users to access your resources. For example, you can use RAM to grant your users only the permissions to play videos. RAM users are subordinate to Alibaba Cloud accounts and do not own actual resources. All resources belong only to Alibaba Cloud accounts.
You can log on to the RAM console to create RAM users, obtain AccessKey pairs, and grant permissions to the RAM users.
WarningGrant only required permissions to RAM users to prevent security risks introduced by excessive permissions. For more information about how to configure fine-grained access control, see Create a custom policy.
STS temporary AccessKey pairs
Security Token Service (STS) is an Alibaba Cloud service that provides temporary access credentials. An STS temporary AccessKey pair is an AccessKey pair that is issued by STS and is valid for a specific period of time. STS temporary AccessKey pairs can be used to access ApsaraVideo VOD resources only based on the rules that are defined by STS and expire after the specified validity period elapses.
Comparison between the authentication methods
Authentication method | Risk | Permission | Validity period | Scenario |
AccessKey pairs of Alibaba Cloud accounts | Very high | Permissions to manage all resources in ApsaraVideo VOD | Permanently valid after being enabled | The AccessKey pairs of Alibaba Cloud accounts can be used by the super administrator to perform operations. We recommend that you do not use the AccessKey pairs in programs, especially on clients. |
AccessKey pairs of RAM users | High | Permissions that are granted based on policies | Permanently valid after being enabled | The AccessKey pairs of RAM users are used to authorize specific upload, playback, and management operations. You can create multiple AccessKey pairs for replacement if an AccessKey pair is leaked. For example, when a RAM user resigns, the AccessKey pair of the RAM user is exposed to leaks. We recommend that you use AccessKey pairs of RAM users on servers. |
STS temporary AccessKey pairs | Low | Permissions that are granted based on policies | Valid until the specified validity period elapses | STS temporary AccessKey pairs can be used on mobile or web clients. You must deploy servers to generate STS temporary AccessKey pairs. |
In addition to the preceding authentication methods, you can also use upload credentials and playback credentials to handle authorization and security issues during media upload and playback. For more information about the comparison between credentials and STS, see Comparison between credentials and STS.
System policies
ApsaraVideo VOD provides four system policies to grant permissions to RAM users or STS accounts.
Policy | Description | Operation |
AliyunVODFullAccess | Permissions to manage all resources in ApsaraVideo VOD | All API operations in ApsaraVideo VOD |
AliyunVODReadOnlyAccess | Read-only permissions on all resources in ApsaraVideo VOD | All read-related API operations in ApsaraVideo VOD, such as API operations that start with Get, Describe, Search, and List |
AliyunVODPlayAuth | Permissions to play videos by using ApsaraVideo Player SDK or calling specific API operations | Playback-related API operations: |
AliyunVODUploadAuth | Permissions to upload resources to ApsaraVideo VOD by using the upload SDK or calling specific API operations | Upload-related API operations: |
Permission policies for other cloud services
The following table describes the policies that you can attach to RAM users or STS accounts based on your business requirements.
Policy | Description | Operation |
AliyunOSSFullAccess | Permissions to access Object Storage Service (OSS) | Manage the storage of ApsaraVideo VOD. |
AliyunMNSFullAccess | Permissions to access Simple Message Queue (formerly MNS) | Use the callback feature of ApsaraVideo VOD. |
AliyunKMSFullAccess | Permissions to access Key Management Service (KMS) | Use HLS encryption or Alibaba Cloud proprietary cryptography to encrypt resources in ApsaraVideo VOD. |
AliyunCDNFullAccess | Permissions to access Alibaba Cloud CDN | Use features that are related to Alibaba Cloud CDN in ApsaraVideo VOD. |