ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on their AccessKey pairs. ApsaraVideo Live supports authorization by using the AccessKey pairs of Alibaba Cloud accounts and RAM users. This topic compares the two authorization methods. This topic also describes the system policies that are provided by Alibaba Cloud and custom policies.

Introduction

You can use the API operations or SDKs that are provided by ApsaraVideo Live to access ApsaraVideo Live. ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on their AccessKey pairs.

You can use the Resource Access Management (RAM) service to authorize RAM users so that they can use the ApsaraVideo Live console with the granted permissions.

Terms of RAM

  • RAM

    RAM is a service provided by Alibaba Cloud that allows you to manage user identities and control access to your resources. For more information, see What is RAM?

    Note The RAM service isolates and manages permissions rather than resources. RAM users are subordinate to Alibaba Cloud accounts and own no resources. All resources belong only to Alibaba Cloud accounts.
  • Alibaba Cloud account

    Alibaba Cloud accounts are the owners of Alibaba Cloud resources. Alibaba Cloud accounts are charged for all of the resources that they own and have full control over the resources.

  • RAM user

    RAM users are created under Alibaba Cloud accounts. Each RAM user of an Alibaba Cloud account has its own AccessKey pair and can perform authorized operations in the same way as the Alibaba Cloud account. A RAM user can be considered as a user who has specific operation permissions.

  • Policy

    A RAM policy is a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. You can configure RAM policies and grant specific permissions to users or user groups to control their access to the resources or services in your account. For example, you can limit the permissions of users to only upload, play, or audit permissions.

  • AccessKey pair

    An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey pair is used to authenticate access identities. ApsaraVideo Live uses AccessKey pairs to implement symmetric encryption and identity authentication.

    • AccessKey ID: is used to identify users.
    • AccessKey secret: is used to encrypt and verify signature strings. You must keep your AccessKey secret confidential.
      Note An AccessKey secret is displayed only when you create the AccessKey pair, and cannot be queried. We recommend that you save the AccessKey secret for subsequent use.
    • AccessKey pair: consists of an AccessKey ID and an AccessKey secret.

For more terms about RAM, see Terms.

Comparison between the authentication methods

The following two types of AccessKey pairs are available for use in ApsaraVideo Live:

  • AccessKey pairs of Alibaba Cloud accounts

    The AccessKey pairs of Alibaba Cloud accounts are the AccessKey pairs of the accounts that activate the ApsaraVideo Live service or accounts registered with Alibaba Cloud. The AccessKey pair of each Alibaba Cloud account has all of the permissions on resources that are owned by the account. Each Alibaba Cloud account can have up to five enabled or disabled AccessKey pairs. You can apply to add or delete your AccessKey pairs in the Alibaba Cloud Management Console. An AccessKey pair may be in the enabled or disabled state. Only enabled AccessKey pairs can be used for identity authentication.

    Warning The AccessKey pairs of Alibaba Cloud accounts have full permissions and carry high risks for data leaks if it is disclosed. Therefore, we recommend that you do not use the AccessKey pairs of Alibaba Cloud accounts to access ApsaraVideo Live.
  • AccessKey pairs of RAM users

    RAM is a resource access control service that is provided by Alibaba Cloud. The AccessKey pairs of RAM users are authorized in RAM. They can be used to access ApsaraVideo Live resources only based on the rules that are defined in RAM. You can use RAM to manage users such as employees, systems, and applications, and control the permissions of users to access your resources. For example, you can use RAM to grant only the video playback permission to the users. RAM users are subordinate to Alibaba Cloud accounts and own no resources. All resources belong only to Alibaba Cloud accounts.

    You can log on to the RAM console to create RAM users, obtain AccessKey pairs, and grant permissions to the RAM users. For more information, see Create and grant permissions to a RAM user.

Comparison between the authentication methods

Authentication method Risk Permission Validity Scenario
AccessKey pairs of Alibaba Cloud accounts Very high Permissions on managing all resources in ApsaraVideo Live Always valid after being enabled The AccessKey pairs of Alibaba Cloud accounts can be used by the super administrator to perform operations. We recommend that you do not use these AccessKey pairs in programs, especially on clients.
AccessKey pairs of RAM users Low Permissions that are granted based on policies Always valid after being enabled The AccessKey pairs of RAM users are used to authorize specific operations such as management. You can create multiple spare RAM users in case of AccessKey pair leaks, for example, when the RAM user resigns. We recommend that you use the AccessKey pairs of RAM users on servers.

Policy

You can use policies to grant only the required permissions to RAM users. Alibaba Cloud allows you use system policies or custom policies.

  • System policies

    The following table lists the three system policies that may be used in ApsaraVideo Live.

    Policy Description Operation permission
    AliyunLiveFullAccess Management permissions on ApsaraVideo Live This policy includes the permissions on all operations in the ApsaraVideo Live console and all API operations.
    AliyunLiveReadOnlyAccess Read-only permissions on ApsaraVideo Live This policy includes the permissions on all read operations and all API operations that are used to read resources, such as the operations starting with Describe.
    AliyunMTSFullAccess Management permissions on ApsaraVideo for Media Processing This policy includes the permissions on all operations in the ApsaraVideo for Media Processing console and all API operations.
  • Custom policies

    If system policies cannot meet your needs, you can create custom policies to implement more fine-grained access control.

    Using ApsaraVideo Live requires the policies that contain the permissions on Object Storage Service (OSS) and ApsaraVideo Live. For more information, see Examples.

Note If a RAM user needs to use the ApsaraVideo Live console, you must grant the RAM user the following permissions:
  • Permissions on ApsaraVideo Live: required. You can use the AliyunLiveFullAccess system policy.
  • Permissions to store snapshots in OSS: required. You can customize a policy that contains the required permissions. For more information, see Examples.

To enable ApsaraVideo Live to store live recordings and snapshots in OSS buckets, you must authorize ApsaraVideo Live to access OSS. You can assign the AliyunMTSDefaultRole role to ApsaraVideo Live. You can click authorization to complete the authorization.