All Products
Search
Document Center

Intelligent Media Management:Configure a service role for a project

Last Updated:Jun 21, 2026

When you create an Intelligent Media Management (IMM) project, you must assign a service role to the project. This allows the IMM service to assume the role and access your other authorized cloud resources, such as Object Storage Service (OSS). This topic describes how to configure a service role and grant permissions.

Warning

When you create a service role, create a project, or change a project's service role, you must possess all the permissions assigned to that role. Otherwise, the operation will fail. Proceed with caution.

Create and authorize a service role

Authorize the default service role

  1. The first time you create a project, follow these steps to authorize access to cloud resources.

On the Create Project page, expand the Service Role drop-down list. The status for AliyunIMMDefaultRole (default role) is "Not Authorized". Click Authorize.

  1. On the Cloud Resource Access Authorization page, review the information for the default authorization role AliyunIMMDefaultRole, and then click Confirm Authorization.

After the service role is created, you can configure fine-grained permissions in the RAM console.

This role is associated with the AliyunIMMRolePolicy system policy.

Warning

Note that AliyunIMMDefaultRole grants extensive permissions for OSS access. If a RAM user in your Alibaba Cloud account has IMM permissions, such as CreateProject / UpdateProject, they can assign AliyunIMMDefaultRole to a project and use the metadata indexing feature to list or analyze your files in OSS. To control these permissions more precisely, create a custom service role.

Create a custom service role

You can create and authorize a custom service role in the RAM console. For detailed instructions, see Create a service-linked role.

  1. For principal type, select Alibaba Cloud Service.

  2. Enter a role name, and select a role type and a Trusted Service. For role type, select Normal Service Role. For Trusted Service, select Intelligent Media Management.

    In this example, the role name is TestIMMRoleOSSMyBucketAccess, and the Description is Allow access to a specific bucket.

  3. Click OK to create the custom service role.

    After the role is created, a success message appears, prompting you to add permissions. You can click Authorize or Precise authorization to grant permissions to the role, or click Close to return to the role list.

  4. A new RAM role has no permissions by default. You must grant the necessary permissions for your use case, including at least those for OSS and Message Service (MNS).

    You can create a policy in the RAM console. Use JSON Editor to create the policy.

    The following policy grants permissions only on the OSS bucket named "my-bucket". When using this policy, replace "my-bucket" with your bucket name.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oss:Get*",
                    "oss:List*",
                    "oss:PutBucketLifecycle",
                    "oss:PutBucketNotification",
                    "oss:DeleteBucketNotification",
                    "oss:PutBucketAcl",
                    "oss:PutObjectAcl",
                    "oss:CopyObject",
                    "oss:AppendObject",
                    "oss:PutSymlink",
                    "oss:PutObject",
                    "oss:StartEventRecord",
                    "oss:StopEventRecord",
                    "oss:GetEventRecordStatus"
                ],
                "Resource": "acs:oss:*:*:my-bucket/*",
                "Effect": "Allow"
            },
            {
                "Action":"mns:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "imm.aliyuncs.com"
                    }
                }
            }
        ]
    }
  5. Attach the policy that you created to the service role. For details, see Manage permissions for a RAM role.

    Once authorized, the attached custom policy (for example, TestIMMPolicyO...) appears on the Permissions tab of the role details page. The resource scope is account-level.

Use the service role

After the service role is created, click the refresh icon next to the Service Role field and select the new role to create your Intelligent Media Management project.

From the Service Role drop-down list, select TestIMMRoleOSSMyBucketAccess and click OK to create the project.

(Optional) Modify service role permissions

You can modify the permissions of the service role in the RAM console. For details, see Manage permissions for a RAM role.

When modifying the service role's permissions, ensure it includes the minimum required permissions for OSS and MNS for your use case. Otherwise, API calls may fail.