All Products
Search

This Product

    Intelligent Media Services:Create a RAM role and use STS to authorize temporary access

    Document Center

    Intelligent Media Services:Create a RAM role and use STS to authorize temporary access

    Last Updated:Dec 15, 2025

    If you want to access Intelligent Media Services (IMS) on mobile or web clients, you can use Security Token Service (STS) to authorize temporary access. This effectively prevents security risks caused by leaks of the AccessKey pairs of Resource Access Management (RAM) users. This topic describes how to use STS to authorize temporary access to IMS.

    Background

    AccessKey pairs of RAM users are permanently valid after the AccessKey pairs are enabled. If the AccessKey pairs are leaked, security risks may occur. We recommend that you use STS to authorize temporary access. You can customize the validity period of temporary AccessKey pairs, specify relatively complex policies to limit the permissions of different RAM roles, and abide by the principle of least privilege to improve service access security.

    Step 1: Create a RAM user and authorize to call the AssumeRole operation

    1. Log on to the RAM console using the Alibaba Cloud account or as a RAM administrator.

    2. In the navigation pane on the left, choose Identities > Users.

    3. On the Users page, click Create User

      image

    4. On the Create User page, in the User Account Information section, set the basic information for the user.

      • Logon Name: Enter a name that can contain letters, digits, periods (.), hyphens (-), and underscores (_). The name can be up to 64 characters long.

      • Display Name: Enter a name that can contain up to 128 characters.

      • Tag: Click the pencil icon, then enter a tag key and value. Attach tags to the RAM user to manage users by tag.

      Note

      Click Add User to create multiple RAM users in a batch.

    5. Select an Access Mode and configure the corresponding parameters.

    6. Click OK and complete the security verification. An AccessKey pair is automatically generated for the RAM user.

      001

    7. Click Copy in the Actions column and save the copied user information including the AccessKey ID and AccessKey secret.

      Important

      Keep the AccessKey pair secure. The AccessKey secret is displayed only when the RAM user is created. You cannot view the AccessKey secret after you close the creation page.

    8. On the Users page, find the created RAM user and click Add Permissions in the Actions column.

    9. In the Grant Permission panel, grant permissions to the RAM user.

      1. Select the scope of authorization.

        Set the Resource Scope parameter to Account. IMS does not support the Resource Group scope. For more information, see Differences and relationships among the Resource Directory, Resource Group, and Tag services.

      2. Specify the principal.

        The principal is the RAM user to which you want to grant permissions.

      3. Select an access policy.

        Select System Policy, enter AliyunSTS, then select the AliyunSTSAssumeRoleAccess policy.

      4. Click OK to complete the authorization.

    Step 2: Create a RAM role and authorize to operate IMS resources

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.

      image

      • Current Account: If you want a RAM user or RAM role that belongs to your Alibaba Cloud account to assume the RAM role, select Current Account.

      • Other Account: If you want a RAM user or RAM role that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Delegate access across Alibaba Cloud accounts using RAM roles. You can view the ID of your Alibaba Cloud account on the Security Settings page.

    5. Optional. If you want the RAM role to be assumed only by a specific RAM user or RAM role that belongs to the trusted Alibaba Cloud account, click Switch to Policy Editor and modify the trust policy of the RAM role in the editor.

      The editor supports the Visual editor and JSON modes. In the following example, only the RAM user Alice within the Alibaba Cloud account whose ID is 100******0719 can assume the RAM role.

      • Visual editor

        Specify a RAM user for the Principal element.

        image

        image

      • JSON

        Specify a RAM user for the RAM field of the Principal parameter. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "RAM": "acs:ram::100******0719:user/Alice"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    6. In the Grant Permission panel, grant permissions to the RAM role.

      1. Set the authorization scope.

        Set the Resource Scope parameter to Account. IMS does not allow you to set the Resource Scope parameter to Resource Group. For more information about resource groups, see Differences and relationships among the Resource Directory, Resource Group, and Tag services.

      2. Specify the principal.

        The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.

      3. Select policies in the Policy section.

        • Use system policies

          Select System Policy from the drop-down list, enter AliyunICE in the search box, and then select system policies based on your business requirements.

          Policy

          Description

          API operation

          AliyunICEFullAccess

          Permissions to manage and operate all IMS resources

          This policy grants permissions on all operations of IMS.

          AliyunICEReadOnlyAccess

          Read-only permissions on all IMS resources

          This policy grants permissions on all read-only operations of IMS, such as Get, Describe, Search, and List operations.

        • Use custom policies

          Select Custom Policy from the drop-down list and select custom policies based on your business requirements. If no custom policies are available, you can create one. For more information, see Create custom policies or the Sample custom policies section of this topic.

        Note

        • You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, repeat the operation.

        • To control risks, we recommend that you abide by the principle of least privilege.

        • If you want to use IMS SDK for iOS or Android, you must specify the AliyunOSSFullAccess policy or a custom Object Storage Service (OSS) policy based on your business requirements. This is because the SDK needs to upload files to OSS.

      4. Click OK to complete the authorization.

    Step 3: Use the RAM user to call AssumeRole to obtain a temporary AccessKey pair

    1. Download and integrate the STS SDK. For more information, see STS SDK overview.

    2. Call the AssumeRole API to obtain temporary identity credentials for the role.

      This topic provides an example that uses Java code. For sample code in other languages, see SDK sample code.

      Java

      import com.aliyun.tea.*;

public class Sample {

    /**
     * description :
     * <p>Use a credential to initialize the client.</p>
     * @return Client
     * 
     * @throws Exception
     */
    public static com.aliyun.sts20150401.Client createClient() throws Exception {
        // We recommend that you use a credential-free method to run your project code. For more information about how to configure credentials, see https://help.alibabacloud.com/document_detail/378657.html.
        com.aliyun.credentials.Client credential = new com.aliyun.credentials.Client();
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                .setCredential(credential);
        // For more information about endpoints, see https://api.alibabacloud.com/product/Sts.
        config.endpoint = "sts.us-west-1.aliyuncs.com";
        return new com.aliyun.sts20150401.Client(config);
    }

    public static void main(String[] args_) throws Exception {

        com.aliyun.sts20150401.Client client = Sample.createClient();
        // The request parameters for the AssumeRole API operation are RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // You can obtain the RoleArn parameter from the RAM console.
        com.aliyun.sts20150401.models.AssumeRoleRequest assumeRoleRequest = new com.aliyun.sts20150401.models.AssumeRoleRequest()
                .setDurationSeconds(3600L)
                // Customize your policy.
                .setPolicy("{\n" +
                        "  \"Version\": \"1\",\n" +
                        "  \"Statement\": [\n" +
                        "    {\n" +
                        "      \"Action\": \"ice:*\",\n" +
                        "      \"Resource\": \"*\",\n" +
                        "      \"Effect\": \"Allow\"\n" +
                        "    }\n" +
                        "  ]\n" +
                        "}")
                // You can obtain the RoleArn parameter from the RAM console.
                .setRoleArn("<role-arn>")
                // RoleSessionName is the session name of the temporary token. Specify a custom name to identify your user. This name is used for auditing or to distinguish to whom the token is issued.
                // Note the length and rules for RoleSessionName. It cannot contain spaces and can only contain letters, digits, hyphens (-), and underscores (_).
                // For more information about the format requirements, see the API documentation.
                .setRoleSessionName("session-name");// Custom name.
        com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
        try {
            com.aliyun.sts20150401.models.AssumeRoleResponse resp = client.assumeRoleWithOptions(assumeRoleRequest, runtime);
            com.aliyun.teaconsole.Client.log(com.aliyun.teautil.Common.toJSONString(resp));
        } catch (TeaException error) {
            // This is for printing and demonstration purposes only. Handle exceptions with caution. Do not ignore exceptions in your project.
            // Error message
            System.out.println(error.getMessage());
            // Diagnostic address
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        } catch (Exception _error) {
            TeaException error = new TeaException(_error.getMessage(), _error);
            // This is for printing and demonstration purposes only. Handle exceptions with caution. Do not ignore exceptions in your project.
            // Error message
            System.out.println(error.getMessage());
            // Diagnostic address
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        }
    }
}

    API reference

    AssumeRole