Share OSS assets across accounts using a bucket policy
Resources in Alibaba Cloud Object Storage Service (OSS) are private by default. To allow a partner to use your OSS resources for editing, grant them access to the bucket by using a bucket policy.
Background information
Company A wants to allow its partner, Company B, to use files stored in an OSS bucket as media assets for editing. However, Company A does not want to set the bucket to public-read or directly copy the files to Company B. Instead, Company A can use a bucket policy to grant its partner access to the bucket, allowing Company B to reference these media assets in the timeline.
Add a bucket policy to grant access
Intelligent Media Services (IMS) accesses customer OSS files by assuming the system role AliyunICEDefaultRole. When Company A grants Company B permission to access a bucket, the AliyunICEDefaultRole assumed by Company B's account can access Company A's bucket. Follow these steps:
-
Obtain the Alibaba Cloud account ID of Company B.
Company B logs in to its Alibaba Cloud account. In the console, click the profile picture in the upper-right corner. Find and record the Alibaba Cloud account ID from the pop-up box.
The value is labeled account ID.
-
Grant the AliyunICEDefaultRole assumed by Company B's account access to the authorized resources.
-
Log on to the OSS console.
-
On the Buckets page, click the name of the target bucket.
-
In the left-side navigation pane, choose Permission Control > Bucket Policy.
-
On the Bucket Policy page, on the Add in GUI tab, click Authorize.
-
In the Authorize panel, configure the policy. For Authorized User, select Other Accounts, and enter the following ARN. Replace the placeholder with the Alibaba Cloud account ID from Step 1.
arn:sts::COMPANY_B_ACCOUNT_ID:assumed-role/AliyunICEDefaultRole/* -
For details on configuring other parameters, see Grant access to specific resources by using a bucket policy.
-
Click OK.
Example:
In the Authorized Resource area, select Entire Bucket. In the Authorized User area, select Other Accounts and enter the ARN for the
AliyunICEDefaultRoleassumed by Company B's account (format: arn:sts::ACCOUNT_ID:assumed-role/AliyunICEDefaultRole/*). In the Authorized Operation area, select Simple Settings and select Read/Write. In the Conditions (Optional) area, set the access method to HTTPS and click OK.
-
Advanced configurations
-
Multi-account authorization: You can grant multiple Alibaba Cloud accounts editing access to the media assets in this bucket by entering multiple values for Authorized User.
-
Operation permissions: If Authorized Operation is "Read-Only", Company B can only use the bucket's media assets as input. If Authorized Operation is "Read/Write", Company B can also write edited output to the bucket.