Set a subaccount and authorization includes four steps, that is, Create a subaccount > Create a role > Set the role permissions > Associate the subaccount with the role.
Create a subaccount.
Log on to the RAM console, and click Users.
Note: Select Automatically generate an Access key for this user, and properly store the AccessKey. The AccessKey of the subaccount will be used to obtain the token of STS.
Create a role.
Log on to the RAM console and click Roles.
Select a role.
Select User Role.
Select an Alibaba Cloud account.
Select Current Alibaba Cloud Account. Trusted Alibaba Cloud Account ID is set to your current Alibaba Cloud account ID by default, which does not need to be specified. Click Next.
Enter the Role Name.
Enter the role name as required. teststs is used in the following figure.
Obtain the role Arn parameter.
Click the created role to go to the Role Details page. Record the Arn parameter
Set the role authorization.
Role Authorization Policiesof the created role.
Edit Authorization Policy.
Note: To adjust the STS permissions of the subaccount (for example, to modify, add, or delete a permission), return to this step.
For convenience, the following section uses the full access authorization of OSS as an example.
You can create an authorization policy in
Custom Authorization Policyand add this policy in Edit Authorization Policy to grant the minimum permission required by the upload SDK. The full policy content is as follows:
Associate the subaccount with the role.
To associate the subaccount with the role, create a
Custom Authorization Policyfor the role and grant the
Custom Authorization Policyto the subaccount.
Custom Authorization Policyfor the role.
Log on to the RAM console, and click Policies > Create Authorization Policy.
Select a template.
Enter the keyword STS in the text box of All Templates. Select the template for
AliyunSTSAssumeRoleAccessand go to the next step.
Edit the authorization content.
Enter the authorization policy name as required, and set the Resource field in Policy Content to the Arn parameter
acs:ram::1351140512345678:role/teststsof the role obtained in the preceding steps.
custom authorization policyto the subaccount.
Log on to the RAM console, and click Users to Authorize.
Click Authorize to edit your authorization policy. You can set search criteria to search for authorization policies. For example, enter test, the created
After the preceding settings, the subaccount has the role permissions. You can use a temporary token of STS to access and upload video files.