All Products
Search
Document Center

ApsaraVideo Media Processing:Overview of identity and permission management

Last Updated:Jun 23, 2026

ApsaraVideo Media Processing (MPS) uses AccessKey pairs to authenticate the identity of a request sender and prevent unauthorized access. Learn about the basic concepts of and differences between various AccessKey pair types.

About AccessKey pairs

MPS authenticates each request using an AccessKey pair to verify the sender's identity and required permissions.

AccessKey concepts

An AccessKey pair is a credential used for Alibaba Cloud API calls. It verifies the caller's identity and permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which must be used together.

  • AccessKey ID: Identifies the user.

  • AccessKey secret: Authenticates the user's identity. You must keep your AccessKey secret confidential.

    Note

    The AccessKey secret is displayed only when it is created and cannot be retrieved later. Keep it secure. After you create an AccessKey pair, download the CSV file or copy the information to a secure location.

AccessKey pair types

Alibaba Cloud account AccessKey pair

This is the AccessKey pair for the Alibaba Cloud account that has activated MPS. It has full permissions for all resources under the account. You can have a maximum of five AccessKey pairs, including both enabled and disabled pairs. You can log on to the AccessKey console to add or delete AccessKey pairs. Each AccessKey pair can be enabled or disabled. Only enabled AccessKey pairs can be used for identity verification.

Important

Because an Alibaba Cloud account AccessKey pair grants full permissions, leaking it poses a high security risk. We recommend that you use a RAM user AccessKey pair instead to make API calls to MPS.

RAM user AccessKey pair

Note

Resource Access Management (RAM) is an Alibaba Cloud service for access control. RAM lets you centrally manage your users, such as employees, systems, or applications, and control the resources they can access.

A RAM user AccessKey pair is granted permissions through RAM and can access MPS only within those granted permissions. Each RAM user can have up to two AccessKey pairs, which can be enabled or disabled. RAM users belong to an Alibaba Cloud account and do not own any resources. All resources belong to the Alibaba Cloud account. You can log on to the RAM console to create RAM users and grant permissions. For more information, see Create a RAM user and grant permissions.

STS temporary AccessKey pair

Security Token Service (STS) is an Alibaba Cloud service that provides temporary access credentials. An STS temporary AccessKey pair is issued by STS with a limited validity period. It can access MPS resources only within the permissions granted by STS and automatically expires after a specified period. You can log on to the RAM console to create a RAM role and grant STS authorization.

Comparison of verification methods

Verification method

Risk

Permissions

Validity

Scenarios

Alibaba Cloud account AccessKey pair

Very high

Permissions to manage and operate all MPS resources

Permanently valid after being enabled

For super administrator operations only. Do not use it in programs, especially on the client side.

RAM user AccessKey pair

Larger

Permissions granted based on authorization policies

Permanently valid after being enabled

Suitable for authorizing specific operations such as transcoding and snapshotting. You can create multiple RAM users. If an AccessKey pair is leaked, for example, when an employee leaves, you must replace it. Use this on the server side.

STS temporary AccessKey pair

Security

Permissions granted based on authorization policies

Custom expiration time

Suitable for mobile or web clients. You must deploy a server to generate STS temporary AccessKey pairs and handle expiration.

Access policy details

To use MPS, you must grant permissions for MPS and OSS. You can also grant permissions for Simple Message Queue (formerly MNS) and Alibaba Cloud CDN. You must use a system policy to grant permissions for MPS. For other services, you can use a system policy or a custom policy.

Required products

Description

Required

System policy

Custom policy

ApsaraVideo Media Processing (MPS)

To use MPS, you must grant all permissions for MPS.

Yes

Full read and write permissions for MPS: AliyunMTSFullAccess

Not supported

Object Storage Service (OSS)

To use MPS, you must grant read and write permissions for OSS.

Yes

Full read and write permissions for OSS: AliyunOSSFullAccess

Supported. Create the policy first, and then grant the permissions.

Simple Message Queue (formerly MNS)

If you use Simple Message Queue (formerly MNS) to subscribe to tracking tasks, you must grant permissions for MNS.

No, optional

Full read and write permissions for MNS: AliyunMNSFullAccess

CDN Playback Acceleration

If you use MPS to configure CDN for accelerated playback, you must grant permissions for CDN.

No, optional

Full read and write permissions for CDN: AliyunCDNFullAccess

If system policies do not meet your needs, you can create a custom policy. For more information, see Create a RAM user and grant permissions.