A Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud account is used to implement cross-account access and temporary authorization. The RAM role can be assumed by a RAM user that belongs to a trusted Alibaba Cloud account. This topic describes how to create a RAM role and grant permissions to the RAM role before you use the role to decrypt and play videos.
Prerequisites
A RAM user is created and has permissions to access Media Processing Service (MPS). For more information, see Create a RAM user and grant permissions to the RAM user.
Create a role
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.
Current Account: If you want a RAM user or RAM role that belongs to your Alibaba Cloud account to assume the RAM role, select Current Account.
Other Account: If you want a RAM user or RAM role that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Delegate access across Alibaba Cloud accounts using RAM roles. You can view the ID of your Alibaba Cloud account on the Security Settings page.
Optional. If you want the RAM role to be assumed only by a specific RAM user or RAM role that belongs to the trusted Alibaba Cloud account, click Switch to Policy Editor and modify the trust policy of the RAM role in the editor.
The editor supports the Visual editor and JSON modes. In the following example, only the RAM user
Alicewithin the Alibaba Cloud account whose ID is 100******0719 can assume the RAM role.Visual editor
Specify a RAM user for the Principal element.
JSON
Specify a RAM user for the
RAMfield of thePrincipalparameter.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Principal": { "RAM": "acs:ram::100******0719:user/Alice" }, "Action": "sts:AssumeRole" } ] }
In the Create Role dialog box, configure the Role Name parameter and click OK.
Grant permissions to a role
Grant permissions to the RAM role.
On the Roles page, find the RAM role that you created and click Grant Permission in the Actions column.
In the Grant Permission panel, set the Resource Scope to Account.
Resource Scope
Description
Account
The permissions granted to the RAM role take effect on resources within the current Alibaba Cloud account.
Resource Group
The permissions granted to the RAM user take effect on resources in the specified resource group.
The system automatically enters the name of the current RAM role in the Principal field.
In the Policy section, select System Policy, check one or more required policies, and then click Grant Permissions. Then, close the panel.
NoteIf you want to grant, modify, or revoke the Security Token Service (STS) permissions of a RAM user, perform this step and configure the settings as required.
Associate the RAM user with the RAM role.
In the left-side navigation pane, choose . On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
In the code editor, assign the ARN value you obtained to the Resource parameter. Specify the Action parameter as needed. Click OK.
Click Optimize in the upper part. In the Optimize message, click Perform to optimize the policy.
The system performs the following operations during the advanced optimization:
Split resources or conditions that are incompatible with actions.
Narrow down resources.
Deduplicate or merge policy statements.
On the Create Policy page, click OK.
In the Create Policy dialog box, configure the Policy Name and Description parameters and click OK.
In the left-side navigation pane, choose .
Find the RAM user you create and click Add Permissions in the Actions column.
In the Policy section, select Custom Policy, check the required policies, and then click Grant Permissions.