Create a RAM user and grant permissions to the RAM user - ApsaraVideo Media Processing

You can use ApsaraVideo Media Processing (MPS) as a RAM user to prevent security risks caused by AccessKey pair or password leaks. To allow a RAM user to use MPS, you must authorize the RAM user to access MPS, Object Storage Service (OSS), RAM, Alibaba Cloud CDN, and Message Service (MNS). This topic describes how to create a RAM user and authorize the RAM user to use MPS.

Create a RAM user

For more information about how to create a RAM user, see Create a RAM user.

Grant permissions to a RAM user

Note If a RAM user does not have the permissions to use MPS, the User not authorized to operate on the specified resource error message is returned when the RAM user performs an operation on MPS. In this case, check whether the RAM user has all the required permissions to use MPS. If no, perform the operations described in the following section to grant the permissions to the RAM user.

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, configure the following parameters.

Authorization scope: You can select Alibaba Cloud Account or Specific Resource Group.


Option	Description
Alibaba Cloud Account	The permissions granted to the RAM user take effect on resources within the current Alibaba Cloud account.
Specific Resource Group	The permissions granted to the RAM user take effect only on resources in the specified resource group.

Select Policy: You can select System Policy or Custom Policy. Enter a policy name in the search box to search for the policy that you want to attach to the RAM user. Then, click the policy name to add the policy to the Selected section.

Note You can refine permission management by using custom policies. After you create custom policies, you can select the custom policies in this step to attach the custom policies to the RAM user. For more information, see Create custom policies.

If you use system policies, add the system policies described in the following table.
If you use custom policies, create custom policies first based on the description in the "Create custom policies" section in this topic and then add the custom policies.


Service	Required	Description	System policy	Custom policy
MPS	Yes	To allow a RAM user to use MPS, you must grant full permissions on MPS to the RAM user.	AliyunMTSFullAccess	Not supported.
OSS	Yes	To allow a RAM user to use MPS, you must grant the read and write permissions on OSS to the RAM user.	AliyunOSSFullAccess	Supported. For more information, see the "Create custom policies" section in this topic.
RAM	Yes	To allow a RAM user to use MPS, you must grant read-only permissions on RAM to the RAM user.	AliyunRAMReadOnlyAccess	Supported. For more information, see the "Create custom policies" section in this topic.
MNS	No	To allow a RAM user to use MPS, you must grant permissions on MNS to the RAM user.	AliyunMNSFullAccess	Supported. For more information, see the "Create custom policies" section in this topic.
Alibaba Cloud CDN	No	To allow a RAM user to use MPS, you must grant permissions on Alibaba Cloud CDN to the RAM user.	AliyunCDNFullAccess	Supported. For more information, see the "Create custom policies" section in this topic.

Click OK.
Click Complete.

Create custom policies

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab.

Enter the policy document in the code editor and click Next to edit policy information. Configure basic policy information and click OK to create a custom policy.


Parameter	Description
Policy document	You can import system policies or paste the code of the policy templates that are described in the following sections in the code editor. Note For more information about how to configure a custom policy, see the following policy templates for OSS, Alibaba Cloud CDN, and MNS.

Policy template for OSS

Policy description

The permissions to perform all operations on the specified input and output buckets.
The permission to view the list of buckets.

Policy template

{
  "Version": "1",
  "Statement": [
  {
  "Action": [
  "oss:*"
  ],
  "Resource": [
  "acs:oss:*:*:$InputBucket",
  "acs:oss:*:*:$InputBucket/*",
  "acs:oss:*:*:$OutputBucket",
  "acs:oss:*:*:$OutputBucket/*"
  ],
  "Effect": "Allow"
  },
  {
    "Action": [
    "oss:ListBuckets"
    ],
  "Resource": "*",
  "Effect": "Allow"
  }
 ]
}

Parameter description


Parameter	Description
$InputBucket	The input bucket of MPS. Replace the variable with the name of the bucket to be used as the input bucket in the specified workflow.
$OutputBucket	The output bucket of MPS. Replace the variable with the name of the bucket to be used as the output bucket in the specified workflow.
oss:ListBuckets	The oss:ListBuckets permission is required for a RAM user to perform operations on OSS by using visualization tools. After the permission is granted to the RAM user, the RAM user can query the list of all buckets. However, the RAM user can manage only the input and output buckets specified in the policy. The oss:ListBuckets permission applies only to all buckets, but not a specific bucket.

Policy template for MNS

Policy description

The permissions to perform all operations on the specified queues and topics.
The permissions to query queues and topics.

Policy template

{
  "Version": "1",
  "Statement": [
  {
    "Action": [
    "mns:*"
    ],
    "Resource": [
    "acs:mns:$Region:$Uid:/queues/$QueueName",
    "acs:mns:$Region:$Uid:/topics/$TopicName"
    ],
    "Effect": "Allow"
    },
    {
    "Action": [
    "mns:Get*",
    "mns:List*"
    ],
    "Resource": "*",
    "Effect": "Allow"
    }
  ]
}

Parameter description


Parameter	Description
$QueueName	The name of the MNS queue. Replace the variable with the name of the queue to be used as a notification destination in the specified workflow.
$TopicName	The name of the MNS topic. Replace the variable with the name of the topic to be used as a notification destination in the specified workflow.

Policy template for Alibaba Cloud CDN

Policy description

The permissions to perform all operations on the specified domain name for CDN.
The permission to query domain names for CDN.

Policy template

{
  "Version": "1",
  "Statement": [
     {
        "Action": "cdn:*",
        "Resource": [
        "acs:cdn:*:$Uid:domain/$DomainName"
        ],
        "Effect": "Allow"
        },
        {
        "Action": "cdn:Describe*",
        "Resource": "*",
        "Effect": "Allow"
      }
  ]
}

Parameter description


Parameter	Description
$DomainName	The domain name for CDN. Replace the variable with the domain name for CDN used in the specified workflow.

Policy template for RAM

Policy description

The permission to query policies attached to RAM roles.

Policy template

{
    "Statement": [
    {
        "Action": ["ram:ListPoliciesForRole"],
        "Effect": "Allow",
        "Resource": "*"
    }
    ],
    "Version": "1"
}

What to do next

After you create a RAM user and grant permissions to the RAM user, you can use the RAM user to log on to the Alibaba Cloud Management Console. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.