Security Token Service (STS) can be used to grant temporary access permissions to
prevent security risks caused by leaks of RAM user passwords. This topic describes
how to create RAM users and RAM roles, and how to use STS to grant temporary access
permissions.
Background information
Permissions granted to RAM users can be used indefinitely, which may lead to security
risks. For security purposes, we recommend that you generate STS temporary AccessKey
pairs with custom validity periods, and attach complex policies to grant only the
minimum permissions to RAM users.
Create a RAM user
Note
- We recommend that you set Logon Name to vod in Step 5. In this topic, vod is used as an example.
- We recommend that you set Access Mode to OpenAPI Access in Step 6.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, click Create User.
- In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
Note You can click Add User to create multiple RAM users at a time.
- In the Access Mode section, select an access mode.
- Console Access: If you select this option, you must complete the logon security settings. These
settings specify whether to use a system-generated or custom logon password, whether
the password must be reset upon the next logon, and whether to enable multi-factor
authentication (MFA).
Note If you select Custom Logon Password in the Console Password section, you must specify
a password. The password must meet the complexity requirements. For more information
about the complexity requirements, see
Configure a password policy for RAM users.
- OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM
user. The RAM user can call API operations or use other development tools to access
Alibaba Cloud resources.
Note To ensure the security of the Alibaba Cloud account, we recommend that you select
only one access mode for the RAM user. This prevents the RAM user from using an AccessKey
pair to access Alibaba Cloud resources after the RAM user leaves the organization.
- Click OK.
Important After you click OK, the system generates the logon password and the Accesskey pair of the RAM user.
Keep the logon password and AccessKey pair secure.
Grant permissions to the RAM user
- Log on to the RAM console and choose Identities > Users. On the page that appears, find the RAM user that you created (vod) and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
Note Attach the AliyunSTSAssumeRoleAccess policy, which allows users to call the AssumeRole operation of STS, to the vod user. You can enter AliyunSTSAssumeRoleAccess
in the search box to search for the system policy.

- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
Note If you select Specific Resource Group for Authorized Scope, make sure that the required
cloud service supports resource groups.
For more information, see Services that work with Resource Group.
- Specify the principal.
The principal is the RAM user to which permissions are to be granted.
- Select policies.
Note You can attach a maximum of five policies to a RAM user at a time. If you want to
attach more than five policies to a RAM user, perform the operation multiple times.
- Click OK.
- Click Complete.
Create a RAM role
Note We recommend that you set Role Name that is mentioned in Step 6 to voderole. In this topic, voderole is used as an example.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, click Create RAM Role.
- In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
- Specify the RAM Role Name and Note parameters.
- Select Current Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account field and click OK.
Note If you select Other Alibaba Cloud Account, you must enter the ID of the Alibaba Cloud account.
Grant permissions to the RAM role
- Log on to the RAM console and choose Identities > Role. On the page that appears, find the RAM role that you created (voderole) and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM role.
Note
- To reduce security risks, we recommend that you grant only the minimum required permissions
to RAM roles.
- If you want voderole to access and manage ApsaraVideo VOD resources, we recommend that you attach the
AliyunVODFullAccess policy, which allow users to manage and operate all ApsaraVideo VOD resources, to
the voderole role. You can enter
AliyunVODFullAccess
in the search box to search for the system policy. For more information about definitions
and permissions of system policies in ApsaraVideo VOD, see Overview.

- Select the authorization scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
Note If you select Specific Resource Group for Authorized Scope, make sure that the required
cloud service supports resource groups.
For more information, see Services that work with Resource Group.
- Specify the principal.
The principal is the RAM role to which permissions are granted. By default, the current
RAM role is specified. You can also specify a different RAM role.
- Select policies.
Note You can attach a maximum of five policies to a RAM user at a time. If you want to
attach more than five policies to a RAM user, perform the operation multiple times.
After permissions are granted, a record is generated.

Access ApsaraVideo VOD by using STS
Note This topic describes only how to assume a RAM role to obtain an STS token and use
the token to access ApsaraVideo VOD resources by calling an API operation. For more
information about how to assume a RAM role to access ApsaraVideo VOD resources by
using the console, see
Use the Alibaba Cloud Management Console.
To skip the signature process, we recommend that you integrate STS SDK and call the
AssumeRole operation to obtain a temporary STS token. See the following topics for sample code
for different programming languages: