All Products
Search
Document Center

ApsaraVideo Media Processing:Create a RAM user and grant permissions to the RAM user

Last Updated:Feb 04, 2024

You can use ApsaraVideo Media Processing (MPS) as a Resource Access Management (RAM) user to prevent security risks caused by AccessKey pair or password leaks. To allow a RAM user to use MPS, you must authorize the RAM user to access MPS, Object Storage Service (OSS), and RAM. You can also authorize the RAM user to access Message Service (MNS) and Alibaba Cloud CDN (CDN) based on your business requirements. This topic describes how to create a RAM user and authorize the RAM user to use MPS.

Note

If a RAM user does not have the permissions to use MPS, the User not authorized to operate on the specified resource error message is returned when the RAM user performs an operation on MPS. In this case, check whether the RAM user has all the required permissions to use MPS. If the RAM user does not have all the required permissions to use MPS, perform the operations that are described in the following section to grant the permissions to the RAM user.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

    Note

    You can click Add User to create multiple RAM users at a time.

  5. Select OpenAPI Access for the Access Mode parameter.

  6. Click OK and complete the security verification. An AccessKey pair is automatically generated for the RAM user.

  7. Click Copy in the Actions column and save the copied user information including the AccessKey ID and AccessKey secret.

    Important

    Keep the AccessKey pair secure. The AccessKey secret is displayed only when the RAM user is created. You cannot view the AccessKey secret after you close the creation page.

  8. On the Users page, find the created RAM user and click Add Permissions in the Actions column.

  9. In the Add Permissions panel, configure the parameters that are described in the following table.

    1. Configure the Authorized Scope parameter to specify the authorization scope.

      Valid value

      Description

      Alibaba Cloud Account

      The permissions granted to the RAM user take effect on resources within the current Alibaba Cloud account.

      Specific Resource Group

      The permissions granted to the RAM user take effect only on resources in the specified resource group.

    2. Configure the Principal parameter to specify a principal.

      The principal is the RAM user to whom you want to grant permissions.

    3. Select policies in the Select Policy section. For more information about the services that you need to authorize the RAM user to access and the supported policies, see the Policies section of this topic.

      • Use system policies

        Click the System Policy tab and enter a policy name in the search box to search for the policy that you want to attach to the RAM user. Then, click the policy name to add the policy to the Selected section.

      • Use custom policies

        You can refine permission management by using custom policies. After you create custom policies, you can search for and select the custom policies on the Custom Policy tab to attach the custom policies to the RAM user. For more information about how to create a custom policy, see the Create a custom policy section of this topic.

  1. Click OK.

  2. Click Complete.

Policies

To use MPS as a RAM user, you must authorize the RAM user to access MPS, and OSS. You can also authorize the RAM user to access MNS and CDN based on your business requirements. You must use a system policy to grant permissions on MPS to the RAM user. You can use a system policy or custom policy to grant permissions on other services to the RAM user.

Service

Description

Required

System policy

Custom policy

MPS

To allow a RAM user to use MPS, you must grant full permissions on MPS to the RAM user.

Yes

Read and write permissions on MPS:AliyunMTSFullAccess

No supported

OSS

To allow a RAM user to use MPS, you must grant the read and write permissions on OSS to the RAM user.

Yes

Read and write permissions on OSS:AliyunOSSFullAccess

Supported. For more information about how to create a custom policy and attach the custom policy to a RAM user, see the following sections.

MNS

To use MNS to subscribe to task information, you must grant the read and write permissions on MNS to the RAM user.

No

Read and write permissions on MNS:AliyunMNSFullAccess

Alibaba Cloud CDN

To use Alibaba Cloud CDN to accelerate content delivery, you must grant the read and write permissions on Alibaba Cloud CDN to the RAM user.

No

Read and write permissions on Alibaba Cloud CDN:AliyunCDNFullAccess

Create a custom policy

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab.

  4. Enter the policy document in the code editor and click Next to edit policy information. Configure the basic policy information and click OK.

    Parameter

    Description

    Policy document

    You can import system policies or paste the code of the policy templates that are described in the following sections in the code editor.

Sample custom policy for restricting the IP addresses from which and the time periods within which the RAM user is allowed to access MPS

  • The RAM user can access MPS only from 192.0.2.0/24 and 203.0.113.2.

  • The RAM user can access MPS only before 17:00 on August 12, 2019 (UTC+8).

{
  "Version": "1",
    "Statement": [{
      "Effect": "Allow",
      "Action": [
        "mts:*",
        "mts-inner:*"
      ],
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "acs:SourceIp": [
            "192.0.2.0/24",
            "203.0.113.2"
          ]},
        "DateLessThan": {
          "acs:CurrentTime": "2019-08-12T17:00:00+08:00"
       }
     }
  ]
}

Sample custom policy for OSS

  • Grant the RAM user the permissions to perform all operations on the specified input and output buckets.

  • Grant the RAM user the permissions to view the buckets.

{    
  "Version": "1",
    "Statement": [{
      "Effect": "Allow",
      "Action": [
        "oss:ListBuckets"
      ],
      "Resource": "*"
    }, {
      "Effect": "Allow",
      "Action": [
        "oss:*"
      ],
      "Resource": [
        "acs:oss:*:*:$InputBucket",
        "acs:oss:*:*:$InputBucket/*",
        "acs:oss:*:*:$OutputBucket",
        "acs:oss:*:*:$OutputBucket/*
      ]
    }
  ]
}

Parameter description

Parameter

Description

oss:ListBuckets

The oss:ListBuckets permission is required for a RAM user to perform operations on OSS by using visualization tools. After the permission is granted to a RAM user, the RAM user can query all buckets.

However, the RAM user can manage only the input and output buckets that are specified in the policy. The oss:ListBuckets permission applies only to all buckets.

oss:*

All permissions on OSS. You can also replace "oss:*" with the following specific permissions based on your business requirements.

"oss:GetObject",

"oss:PutObject",

"oss:GetObjectAcl",

"oss:PutObjectAcl",

"oss:AbortMultipartUpload",

"oss:ListParts",

"oss:RestoreObject",

"oss:GetVodPlaylist",

"oss:PostVodPlaylist",

"oss:PublishRtmpStream",

"oss:ListObjectVersions",

"oss:GetObjectVersion",

"oss:GetObjectVersionAcl",

"oss:RestoreObjectVersion"

$InputBucket

The bucket that stores the input file.

$OutputBucket

The bucket that stores the output file.

For more information, see Examples.

Sample custom policy for RAM

Grant the RAM user the permissions to query policies attached to RAM roles.

{
  "Version": "1",
    "Statement": [{
      "Effect": "Allow",
      "Action": [
        "ram:ListPoliciesForRole"
      ],
      "Resource": "*"
    }
  ]
}

Sample custom policy for MNS

  • Grant the RAM user the permissions to query queues and topics.

  • Grant the RAM user the permissions to perform all read and write operations on the specified queues and topics.

{
  "Version": "1",
    "Statement": [{
      "Effect":"Allow",
      "Action":[
        "mns:ListQueue",
        "mns:ListTopic",
        "mns:GetQueueAttributes",
        "mns:GetTopicAttributes"
      ],
      "Resource":"acs:mns:*:*:*"
    }, {
      "Effect": "Allow",
      "Action": "mns:*",
      "Resource": [
        "acs:mns:$Region:$Uid:/queues/$QueueName", 
        "acs:mns:$Region:$Uid:/topics/$TopicName"
      ]
    }
  ]
}

Parameter description

Parameter

Description

$QueueName

The name of the MNS queue to be associated with an MPS queue or a workflow.

$TopicName

The name of the MNS topic to be associated with an MPS queue or a workflow.

For more examples, see Permission policies and examples.

Sample custom policy for Alibaba Cloud CDN

  • Grant the RAM user the permissions to query all CDN-accelerated domain names.

  • Grant the RAM user the permissions to perform all read and write operations on the specified CDN-accelerated domain names.

{
  "Version": "1",
  "Statement": [{
        "Effect": "Allow",
        "Action": "cdn:*",
        "Resource": "acs:cdn:*:$Uid:domain/$DomainName"
        },{
        "Effect": "Allow",
        "Action": "cdn:Describe*",
        "Resource": "*"
      }
  ]
}

Parameter description

Parameter

Description

$DomainName

The CDN-accelerated domain name.

What to do next

After you create a RAM user and grant permissions to the RAM user, you can use the RAM user to log on to the Alibaba Cloud Management Console. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.