Through Alibaba Cloud Resource Access Management (RAM), you can provide required permissions to the subaccounts for the live broadcast in the ApsaraVideo Live console.
One primary account can create multiple subaccounts. By authorizing the subaccounts certain access functions, you can restrict their use of resources and functions for the purpose of unified management. For more information, see What is RAM.
Subaccount permissions mainly include authorization to use ApsaraVideo Live and OSS and CDN resource objects. We recommend that you plan the resource instances of such services for a subaccount, create authorization policies based on the corresponding authorization templates, and then grant the permissions to the subaccount.
RAM restrictions
RAM users cannot possess resources and they are not billed independently. These users are centrally controlled and billed under your Alibaba Cloud account. You can create separate passwords or keys for each RAM user, but these users do not have any operation permissions by default. RAM provides an access-policy-based authorization to help you grant fine-grained authority to the RAM users.
You must grant the following permissions to your subaccounts to use ApsaraVideo Live console functions:
Live (Required): Grants permission to use ApsaraVideo Live and uses the built-in AliyunLiveFullAccess authorization policy;
OSS (Required): Grants permission to use the screenshot storage service, which can be customized as needed; For more information, see the following content.
Authorization operations
Authorization on ApsaraVideo Live
AliyunLiveFullAccess authorization policy as follows:
- Log on to theRAM console.
- Click Users.
- Select User Name and click Authorize from the Actions column to grant the
AliyunLiveFullAccesspermission to the specified subaccount.
MTS service authorization
AliyunMTSFullAccess authorization policy as follows.
- Log on to the RAM console.
- Click Users.
- Select User Name and click Authorize from the Actions column to grant the
AliyunMTSFullAccesspermission to the specified subaccount.
Description of custom authorization policy creation
- Log on to the RAM console.
- ClickPolicies.
- Click Custom Policy.
- Click Create Authorization Policyto create custom authorization policies as the following samples for the specified resource instance and grant the policies to the specified subaccount.
Note After the authorization policies are created for various service resource objects, you can grant the permissions to the corresponding subaccounts.
The following are OSS and CDN authorization policies. You can grant corresponding permissions to subaccounts as needed.
OSS authorization policy
- All operation permissions on specified buckets;
- Permission to view the bucket list;
{ "Version": "1", "Statement": [ { "Action": [ "oss:*" ], "Resource": [ "acs:oss:*:*:$Bucket", "acs:oss:*:*:$Bucket/*" ], "Effect": "Allow" }, { "Action": [ "oss:ListBuckets" ], "Resource": "*", "Effect": "Allow" } ] }
Live authorization policy
- All operation permissions on specified Live CDN domain name;
- Permission to view the Live CDN domain name;
{
"Version": "1",
"Statement": [
{
"Action": "live:*",
"Resource": [
"acs:cdn:*:$Uid:domain/$DomainName"
],
"Effect": "Allow"
},
{
"Action": "live:Describe*",
"Resource": "*",
"Effect": "Allow"
}
]
}Description of variables
-
Uid
$Uid: Alibaba Cloud account ID. You can query it through .
-
Bucket
$Bucket: OSS bucket.
-
Live
$DomainName: Live CDN domain name.