All Products
Search
Document Center

ApsaraVideo VOD:Custom policies

Last Updated:Jun 08, 2026

When system policies don't meet your needs, create custom policies to enforce least privilege and achieve fine-grained permission control.

Before you begin

Sample custom policies

Deny uploads to OSS buckets with a public ACL

This policy denies all upload operations on OSS objects when the Access Control List (ACL) is set to public-read or public-read-write, preventing accidental public exposure of VOD media assets.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "oss:PostObject",
        "oss:CopyObject",
        "oss:AppendObject",
        "oss:InitiateMultipartUpload",
        "oss:MultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:PutObjectAcl",
        "oss:PutObject"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:x-oss-object-acl": ["public-read-write", "public-read"]
        }
      }
    }
  ]
}

Restrict playback operations to a specific IP address

This policy allows four playback API operations only for requests from the IP address 192.168.XX.XX. Requests from any other IP are denied.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:GetPlayInfo",
                "vod:GetVideoPlayAuth",
                "vod:GetVideoPlayInfo",
                "vod:GetVideoInfo"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition":
             {
                "IpAddress":
                 {
                    "acs:SourceIp": "192.168.XX.XX"
                  }
              }
        }
    ]
}

Grant permissions for media review

This policy grants access to all media review API operations, including IP allowlist management, manual audit submission, AI-based audit jobs, and audit result retrieval.

Note

Update the Action list whenever a new API operation is added to this group to maintain complete permissions.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:SetAuditSecurityIp",
                "vod:ListAuditSecurityIp",
                "vod:CreateAudit",
                "vod:GetAuditHistory",
                "vod:SubmitAIMediaAuditJob",
                "vod:GetAIMediaAuditJob",
                "vod:GetMediaAuditResult",
                "vod:GetMediaAuditResultDetail",
                "vod:GetMediaAuditResultTimeline"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Grant permissions for online editing

This policy grants access to all online editing API operations, covering project creation, update, deletion, retrieval, search, material management, and video production.

Note

Update the Action list whenever a new API operation is added to this group to maintain complete permissions.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vod:ProduceEditingProjectVideo",
                "vod:AddEditingProject",
                "vod:UpdateEditingProject",
                "vod:DeleteEditingProject",
                "vod:GetEditingProject",
                "vod:SearchEditingProject",
                "vod:SetEditingProjectMaterials",
                "vod:GetEditingProjectMaterials"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}