Custom policy - ApsaraVideo Live - Alibaba Cloud Documentation Center

Use cases

System policies provide coarse-grained permissions. If you require fine-grained access control, you can create a custom policy.

For example, you can create a custom policy to grant a RAM user permission to query only snapshot settings.

Procedure

The following examples show how to create a custom policy.

Example 1: Query snapshot settings

To grant a RAM user permission to query only snapshot settings, follow these steps:

Navigate to the Create Policy page. For Service, select Media Services > ApsaraVideo Live.
Expand the read action list. In the search box, enter DescribeLiveSnapshotConfig, and then select it from the results.
Click OK.
Enter a policy name and click OK.
Create a RAM user and attach the new policy. For more information, see Create a RAM user and grant permissions.

After you complete these steps, the RAM user can call the DescribeLiveSnapshotConfig operation and receive the correct data. Attempts to call other operations return a permission error.

Example 2: Query snapshot settings by IP

Example 1 grants permission to call the DescribeLiveSnapshotConfig operation. To add more granular control, such as restricting access by IP address, follow these steps:

Navigate to the Policies page and find the policy that you created in Example 1.
Click the policy name to open the policy details page.
Click Modify Policy to open the modification page and select the Visual editor tab. The modification page shows that the policy type is custom policy and the current version is v2. The policy document tab displays the policy's JSON content, which has an Effect value of Allow.
In the Condition section, click Add condition. Set Key to acs:SourceIp, Operator to IpAddress, and Value to the desired IP Address.
Click OK, and then click OK again to save the changes.

After you complete these steps, the operation can succeed only if the request is sent from the specified IP address. Otherwise, the request fails with a permission error.

Note

For more information about how to create a custom policy, see Create a custom policy.

Syntax

The policy is described in JSON format on the policy details page under the policy document tab. For Example 2, the policy document is as follows:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "live:DescribeLiveSnapshotConfig",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "127.0.0.1"
                    ]
                }
            }
        }
    ]
}

The following describes the elements in the policy document:

Version

The Version element defines the version of the policy. The value must be 1.
Statement

A policy consists of one or more Statement blocks. Each statement defines permissions and includes elements such as Action, Effect, Resource, and Condition. When a request is made, the system evaluates each statement. A Deny effect always overrides an Allow effect. The request is authorized only if it matches one or more Allow statements and no Deny statements.
Effect

Defines the effect of the statement, which can be Allow or Deny.
Action

Specifies the API operations for the permission. Actions for ApsaraVideo Live use the live:API name format, such as live:DescribeLiveSnapshotConfig. Separate multiple actions with a comma. You can combine multiple actions to create a set of permissions.

For a list of all available operations, see API reference.
Resource

Specifies the resource or resources that the policy covers. You can use the wildcard character (*). The format is acs:{ramCode}:{region}:{accountId}:{relative}. A Resource element can contain a list of multiple resources. For ApsaraVideo Live, valid values for ramCode are live, cdn, and live-interaction. The region field is not currently supported and must be set to *. accountId is your account ID. relative specifies the exact resource. It is often set to *, but some operations support resource-level permissions. You can also set the entire Resource element to * as shown in the example.

Note
When you use the visual editor, the corresponding ramCode is automatically selected based on the API operation.

Condition

Specifies conditions for when the policy is in effect. This element is optional.

The following conditions are supported:

Condition	Description	Value
acs:SourceIp	Specifies an IP address or a CIDR block.	IP addresses. The wildcard character (*) is supported.
acs:SecureTransport	Specifies whether the request must use HTTPS.	true or No
acs:MFAPresent	Specifies whether the user must be logged in with multi-factor authentication (MFA).	true or false
acs:CurrentTime	Specifies the time when the request is received by the server.	A time in ISO 8601 format. Example: 2012-11-11T23:59:59Z.

Note

For more information about the basic elements and syntax of policies, see Policy elements and Policy structure and syntax.

Script editing

Once you understand policy syntax, you can also modify policies using script editing. For example, to add the IP address 127.0.0.2 to the policy from Example 2, follow these steps:

Navigate to the Policies page and find the policy that you created in Example 1.
Click the policy name to open the policy details page.
Click Modify Policy to open the modification page, and select the JSON tab.
In the acs:SourceIp array, add the IP address 127.0.0.2.
Click OK to save the changes.

The updated policy document is as follows:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "live:DescribeLiveSnapshotConfig",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": [
                        "127.0.0.1",
                        "127.0.0.2"
                    ]
                }
            }
        }
    ]
}

Version management

To revert a policy to a previous version, use version management. On the policy details page, select the Versions tab, find the target version, and click Set as Active.

Important

A policy can have a maximum of five versions.

Advanced usage

Consider the following business scenario for creating a custom policy:

You want to control permissions for the AddLiveAppSnapshotConfig operation.
The operation should be allowed only on domainA and domainB.

To meet these requirements, you can control access at the resource level. Follow these steps:

Navigate to the Create Policy page. For Service, select Media Services > ApsaraVideo Live.
Expand the write action list. In the search box, enter AddLiveAppSnapshotConfig, and then select it from the results.
In the Resource section, select Specified Resources, and then click Add resource. Set Account to * and Resource to domainA. Repeat this step to add domainB.
Click OK.

Enter a policy name and click OK. The policy document is as follows:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "live:AddLiveAppSnapshotConfig",
            "Resource": [
                "acs:cdn:*:*:domain/domainA",
                "acs:cdn:*:*:domain/domainB"
            ]
        }
    ]
}

Attach the created policy to the target RAM user.

After you complete these steps, the RAM user can add snapshot settings only for domainA and domainB.

Note

The format for resource-level control varies by API operation. We recommend using the visual editor to configure fine-grained permissions.