ApsaraVideo Live:Permission management

Introduction

You can access ApsaraVideo Live through the API or SDK. For each request, ApsaraVideo Live uses your AccessKey to verify your identity and check whether your account has the required permissions.

You can also use Resource Access Management (RAM) to grant RAM users specific permissions to the ApsaraVideo Live console.

Key concepts

• Resource Access Management (RAM)

  Resource Access Management (RAM) is an Alibaba Cloud service that helps you manage user identities and control access to your resources. For more information, see What is Resource Access Management?.

  Note

  RAM provides permission segregation and management, not resource isolation. RAM users are subordinate to an Alibaba Cloud account and cannot own any resources. All resources belong to the Alibaba Cloud account.

• Alibaba Cloud account

  An Alibaba Cloud account is the primary entity that owns resources and is billed for them. It has full control over all resources it owns.

• RAM user

  A RAM user is an identity that you create under an Alibaba Cloud account. Each RAM user has a unique access key pair and can perform authorized operations.

• Policy

  A policy defines a set of permissions that specify authorized resources, actions, and conditions. By attaching policies to users or user groups, you control their access to your resources and services. For example, you can limit users to upload, playback, or review permissions only.

• Access key pair

  An access key pair consists of an AccessKey ID and an AccessKey secret. ApsaraVideo Live uses these credentials to symmetrically encrypt and verify the identity of a request sender.

  • AccessKey ID: Identifies the user.

  • AccessKey secret: A key used to encrypt and verify a signature string. Keep your AccessKey secret confidential.

    Note

    The AccessKey secret is displayed only when you create it and cannot be retrieved later. Store it securely.

  • Access key pair: The combination of an AccessKey ID and an AccessKey secret.

For more information about the key concepts of access control, see Basic concepts of access control.

Authentication methods and comparison

When you access ApsaraVideo Live, you can use one of two types of access key pairs:

• Alibaba Cloud account access key pair

  This is the access key pair of the account that activated ApsaraVideo Live. It has full permissions over all resources owned by that account. Each Alibaba Cloud account can have up to five access key pairs (active or inactive) at a time. You can log on to the RAM console to create or delete access key pairs. Only active access key pairs can be used for authentication.

  Warning

  Leaking an Alibaba Cloud account's access key pair poses a significant security risk because it grants full permissions over all resources.

• RAM user access key pair

  This access key pair belongs to a RAM user and provides access to ApsaraVideo Live resources based on attached policies. RAM lets you centrally manage users such as employees, systems, or applications, and control their access to your resources. For example, you can grant a user permissions for video playback only. RAM users are subordinate to an Alibaba Cloud account and do not own any resources.

  You can log on to the RAM console to create a RAM user, obtain an access key pair, and grant permissions. For detailed instructions, see Create and authorize a RAM user.

Comparison of authentication methods

Policies

Policies let you grant fine-grained permissions to RAM users. Alibaba Cloud provides two types of policies: system policies and custom policies.

• System policies

  The following three system policies are commonly used with ApsaraVideo Live.

  Policy name	Description	Permissions
  AliyunLiveFullAccess	Grants permissions to manage ApsaraVideo Live.	Allows all console operations and API calls for ApsaraVideo Live.
  AliyunLiveReadOnlyAccess	Grants read-only permissions for ApsaraVideo Live.	Allows all read-only operations and API calls, such as those that start with "Describe".
  AliyunMTSFullAccess	Grants permissions to manage ApsaraVideo Media Processing (MPS).	Allows all console operations and API calls for ApsaraVideo Media Processing (MPS).

• Custom policies

  If system policies do not meet your requirements, you can create custom policies for more granular control. For more information, see Create a custom policy.

Common authorization tasks

The following are common authorization tasks for ApsaraVideo Live.

1. If a RAM user needs to use ApsaraVideo Live, you must attach the AliyunLiveFullAccess system policy or a custom policy to the RAM user.

2. To save recordings and snapshots from ApsaraVideo Live to your Object Storage Service (OSS) bucket, you must authorize ApsaraVideo Live to access OSS. To do this, grant the AliyunMTSDefaultRole service-linked role. Click here to grant the authorization.

   Note

   When you activate ApsaraVideo Live, it is automatically granted permission to write to your OSS buckets. This prevents permission issues when saving live recordings to your specified bucket. If this permission is accidentally revoked, you can grant it again.

3. To delete snapshots stored in OSS by using the ApsaraVideo Live API or console, you must create the AliyunMTSVideoLifecycleRole service-linked role and attach the AliyunMTSVideoLifecycleRolePolicy system policy to it. For detailed instructions, see Delete snapshots in the ApsaraVideo Live console.

4. To delete recordings stored in OSS by using the ApsaraVideo Live API or console, you must create the AliyunMTSVideoLifecycleRole service-linked role and attach the AliyunMTSVideoLifecycleRolePolicy system policy to it. For detailed instructions, see Delete recordings in the ApsaraVideo Live console.