All Products
Search
Document Center

Overview

Last Updated: Aug 31, 2018

Account permission authentication

You can use the RESTful APIs or SDKs that are provided by VoD to access VoD. The SDKs include the interface SDK, upload SDK, player SDK, and short video SDK. For every request initiated, VoD authenticates the identity of the user based on the current operation. That is, VoD checks whether the account has the required permissions. The AccessKey must be used in user authentication.

AccessKey

An AccessKey (AK) refers to an AccessKeyId and AccessKeySecret pair used in access identity authentication. VoD authenticates the identity of a request sender by using the AccessKeyID/AccessKeySecret symmetric encryption method. The AccessKeyId identifies a user. With the AccessKeySecret, a user can encrypt the signature string and VoD can verify the AccessKey of the signature string. The AccessKeySecret must be kept confidential.

Currently, three types of AccessKey are used to access VoD:

Primary account AccessKey

The primary account AccessKey refers to the AccessKey of the VoD service activator, that is, the account registered on the Alibaba Cloud website. The AccessKey of every Alibaba Cloud primary account has full access to resources owned by the account. Each Alibaba Cloud primary account can simultaneously have at most five enabled or disabled AccessKey pairs (AccessKeyID and AccessKeySecret). You can log on to the AccessKey console to add or delete AccessKey pairs. Every AccessKey pair may be in the enabled or disabled status. Only an enabled AccessKey pair can be used in user authentication.

The primary account AccessKey has full permissions. It is highly risky if it is leaked. Therefore, we recommend that you do not use the primary account AccessKey to access the VoD service.

RAM user AccessKey

Resource Access Management (RAM) is a resource access control service that is provided by Alibaba Cloud. A RAM user AccessKey refers to the AccessKey that is authorized through RAM. This type of AccessKey only allows access to VoD resources according to the rules defined by RAM. RAM enables you to centrally manage your users (such as employees, systems, or applications) and control users’ access to your resources. For example, your users can have only the video play permission. RAM users are subordinate to primary accounts and cannot own any actual resources. All resources belong to primary accounts.

You can log on to the RAM console to create RAM users, obtain AccessKeys, and grant related permissions.

STS temporary AccessKey

Security Token Service (STS) is an Alibaba Cloud service that provides temporary credentials. An STS temporary AccessKey refers to the AccessKey that is issued by the STS and is valid only within a specified time period. This type of AccessKey only allows access to VoD resources according to the rules defined by RAM, and becomes invalid after the specified time.

Comparison between different authentication methods

Authentication method Risk Permissions Validity period Applicable scenario
Primary account AccessKey Risky Permissions to manage and operate all VoD resources are granted. Once enabled, the Primary account AccessKey is always valid. This AccessKey is used by the super administrator. We recommend that you do not use the primary account AccessKey in any program. In particular, do not place this AccessKey on any client.
RAM user AccessKey Risky Permissions are granted based on the related authorization policy. Once enabled, the RAM user AccessKey is always valid. Users are authorized to perform specific operations, such as upload, play, and manage. You can create multiple RAM users. If any AccessKey is leaked, for example, when an employee quits, the AccessKey must be changed. We recommend that you use RAM user AccessKeys on the server.
STS temporary AccessKey Safe Permissions are granted based on the related authorization policy. The validity period can be customized. This type of AccessKey is used on the mobile or Web terminals. You must deploy a server to generate STS temporary AccessKeys, and properly handle the invalid STS temporary AccessKeys.

System policies

VoD provides four system policies to implement convenient and accurate authorization on RAM users or STS accounts.

Policy Description Operation permissions
AliyunVoDFullAccess It grants the permissions to manage and operate all VoD resources. All VoD API operations
AliyunVoDReadOnlyAccess It grants the permissions for read-only access to all VoD resources. All read-type VoD API operations, such as operations with names starting with Get, Describe, Search, and List
AliyunVoDPlayAuth It grants the permissions to use VoD to play video files, including the permissions to use the player SDK or play-related API operations. Play APIs: GetPlayInfo, GetVideoPlayAuth, GetVideoInfo
AliyunVoDUploadAuth It grants the VoD upload permissions, including the permissions to use the upload SDK or upload-related API operations. Upload API operations: CreateUploadVideo, RefreshUploadVideo, and CreateUploadImage