Alibaba Cloud provides Resource Access Management (RAM) and Security Token Service (STS) to help you control access to Intelligent Media Management. You can assign long-term permissions to a RAM user or grant temporary access to an identity. Using RAM and STS improves the flexibility and security of your cloud resource management.
Background information
RAM and STS address the core challenge of securely granting access to your Alibaba Cloud resources without exposing your account AccessKey. A leaked AccessKey for an Alibaba Cloud account poses a major security risk, as it allows unauthorized users to operate all your resources and potentially steal sensitive information.
-
RAM
-
Resource Access Management (RAM) is an Alibaba Cloud service that helps you manage user identities and their access permissions to your resources. With RAM, you can create and manage multiple identities under a single Alibaba Cloud account and assign them specific permissions. This lets you control who has access to which resources. For more information, see What is Resource Access Management?.
-
RAM provides long-term permission control. You can create multiple RAM users and assign them different permissions. This way, even if a RAM user's AccessKey is compromised, the security risk is limited and does not affect your entire account. A RAM user's credentials are typically long-term, so you must keep their AccessKey secure.
-
-
STS
-
With STS, an authorized identity, such as a RAM user or a RAM role, can obtain temporary access credentials. These credentials have a custom expiration time and a limited set of permissions. For more information, see What is STS?.
-
Unlike RAM, which provides long-term control, STS provides temporary authorization. With STS, you obtain a temporary AccessKey and a security token. You can provide these credentials to temporary users to access Intelligent Media Management. Permissions granted through STS are typically more restrictive and have a defined expiration time. This significantly reduces the security risk if the credentials are leaked.
-
Configure permissions for a RAM user
For improved data security and fine-grained permission control, use a RAM user to access Intelligent Media Management.
-
Create a RAM user. For more information, see Create a RAM user.
-
Grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.
-
If the RAM user needs to manage Intelligent Media Management, for example, to create a project, attach the
AliyunIMMFullAccesspolicy. -
If the RAM user only needs read-only access to Intelligent Media Management, for example, to view projects, attach the
AliyunIMMReadOnlyAccesspolicy.
-
-
Enable multi-factor authentication (MFA) for the RAM user. For more information, see Bind an MFA device to a RAM user.
Configure permissions for temporary users
-
Create a RAM role and grant permissions.
-
Create a RAM role that can be assumed by a trusted entity. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
-
Create a custom policy. For more information, see Create custom policies.
NoteFor more fine-grained control, customize the permissions within the policy. For more information, see Custom policies for Intelligent Media Management.
-
Grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.
-
-
Grant temporary access.
-
Create a custom policy. For more information, see Create custom policies.
-
Authorize the RAM user to assume the role. For more information, see Grant permissions to a RAM user.
-
-
Obtain temporary access credentials from STS. For more information, see AssumeRole.
-
Use the temporary credentials to read and write data.
You can use the temporary credentials with SDKs for various programming languages to access Intelligent Media Management. For the Java SDK, the following example shows how to create an
IAcsClientobject by passing the AccessKeyId, AccessKeySecret, and SecurityToken obtained from STS.DefaultProfile profile = DefaultProfile.getProfile("cn-shanghai", stsAccessKeyId, stsAccessKeySecret, stsToken); IAcsClient client = new DefaultAcsClient(profile);
Custom RAM policies
You can use a custom RAM policy for fine-grained permission control. The following table describes the main elements of a RAM policy.
|
Parameter |
Description |
|
Effect |
Specifies whether to allow or deny the action. Valid values:
|
|
Action |
The API operation of Intelligent Media Management. The format is |
|
Resource |
Intelligent Media Management currently has only one type of resource, Project, which is in the format
|
For more information about permission policies, see Create custom policies.
Policy examples
Grant full access
The following policy grants a user full access to all Intelligent Media Management features.
{
"Version": "1",
"Statement": [
{
"Action": "imm:*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Grant access with wildcards
RAM policy supports the wildcard character * for batch authorization.
The following sample code allows a user to call read operations for Projects that start with imm-test-doc in all regions.
{
"Statement": [
{
"Effect": "Allow",
"Action": ["imm:List*", "imm:Get*"],
"Resource": "acs:imm:*:150910xxxxxxxxxx:project/imm-test-doc*"
}
],
"Version": "1"
}
Grant specific actions on specific projects
The following policy grants a user the following permissions:
-
Allows calling the ListProjects operation.
-
Allows calling the CreateOfficeConversionTask operation, but only on the imm-test-doc-proj project in the China (Shanghai) region.
-
Allows calling the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations, but only on the imm-test-media-proj project in the China (Shanghai) region.
{ "Statement": [ { "Effect": "Allow", "Action": ["imm:ListProjects"], "Resource": "*" }, { "Effect": "Allow", "Action": ["imm:CreateOfficeConversionTask"], "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj" }, { "Effect": "Allow", "Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"], "Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj" } ], "Version": "1" }
Grant specific actions on a specific dataset
The following policy grants a user the following permissions:
-
Allows calling the ListDatasets operation.
-
Allows calling the IndexFileMeta operation, but only on the dataset1 dataset within the imm-test-doc-proj project in the China (Shanghai) region.
-
Allows calling the CreateFigureClusteringTask and CreateFigureClustersMergingTask operations, but only on the dataset1 dataset within the imm-test-media-proj project in the China (Shanghai) region.
{
"Statement": [
{
"Effect": "Allow",
"Action": ["imm:ListDatasets"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["imm:IndexFileMeta"],
"Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-doc-proj/dataset/dataset1"
},
{
"Effect": "Allow",
"Action": ["imm:CreateFigureClusteringTask", "imm:CreateFigureClustersMergingTask"],
"Resource": "acs:imm:cn-shanghai:150910xxxxxxxxxx:project/imm-test-media-proj/dataset/dataset1"
}
],
"Version": "1"
}