ApsaraVideo Media Processing (MPS) uses AccessKey pairs to verify the identities of users who request to call API operations of MPS. This effectively prevents illegal requests. This topic describes the basic concepts of AccessKey pairs and the comparison among different types of AccessKey pairs.
AccessKey pairs
MPS verifies the identity of a user who requests to call an API operation, and uses an AccessKey pair of the user account to verify whether the user has the permissions to call the operation.
Concepts related to AccessKey pairs
A user must provide an AccessKey pair to call API operations of Alibaba Cloud services. The AccessKey pair is used to verify the identity of the user and the permissions of the user account when the user requests to call an API operation. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
The AccessKey ID is used to verify the identity of a user.
The AccessKey secret is used to verify the key of a user. You must keep your AccessKey secret confidential.
NoteAn AccessKey secret is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. We recommend that you save the AccessKey secret for subsequent use. After you create an AccessKey pair, you can download the CSV file that records the AccessKey pair, or copy the AccessKey pair.
AccessKey pair types
AccessKey pairs of Alibaba Cloud accounts
An Alibaba Cloud account that is used to activate MPS can have up to five AccessKey pairs, including enabled and disabled AccessKey pairs. Each AccessKey pair of the Alibaba Cloud account has full permissions on the resources that belong to the Alibaba Cloud account. You can log on to the Resource Access Management (RAM) console to create or delete AccessKey pairs. Each AccessKey pair can be enabled or disabled. Only enabled AccessKey pairs can be used to verify user identities.
AccessKey pairs of Alibaba Cloud accounts allow full access to all resources and pose high risks for data leaks if the AccessKey pairs are disclosed. We recommend that you do not use the AccessKey pairs of Alibaba Cloud accounts. We recommend that you use the AccessKey pairs of RAM users to call API operations of MPS.
AccessKey pairs of RAM users
RAM is a resource access control service that is provided by Alibaba Cloud. You can use RAM to manage users such as employees, systems, and applications in a centralized manner and control the access permissions of users on your resources.
The AccessKey pairs of RAM users are authorized in RAM. The AccessKey pairs can be used to access MPS based only on the rules defined by RAM. You can create up to two AccessKey pairs for each RAM user. The AccessKey pairs can be enabled or disabled. RAM users are subordinate to Alibaba Cloud accounts and own no resources. All resources belong only to Alibaba Cloud accounts. You can log on to the RAM console to create RAM users and grant permissions to the RAM users. For more information, see Create a RAM user and grant permissions to the RAM user.
STS temporary AccessKey pairs
Security Token Service (STS) is an Alibaba Cloud service that provides temporary access credentials. An STS temporary AccessKey pair is an AccessKey pair issued by STS and is valid for a specific period of time. The AccessKey pair can be used to access MPS resources based only on the rules defined by STS and expires after the validity period elapses. You can log on to the RAM console to create RAM roles and grant STS permissions to the RAM roles. For more information, see Create a RAM role for a trusted Alibaba Cloud account and authorize the RAM role to access MPS.
Comparison among different types of AccessKey pairs
AccessKey pair type | Risk level | Permission | Validity period | Scenario |
AccessKey pairs of Alibaba Cloud accounts | Very high | Permissions to manage and operate all MPS resources | Permanently valid after the AccessKey pairs are enabled | The AccessKey pairs of Alibaba Cloud accounts can be used by the super administrator to perform operations. We recommend that you do not use the AccessKey pairs of Alibaba Cloud accounts in programs, especially on clients. |
AccessKey pairs of RAM users | High | Permissions that are granted based on policies | Permanently valid after the AccessKey pairs are enabled | The AccessKey pairs of RAM users are used to authorize the RAM users to perform operations such as transcoding and capturing snapshots. You can create multiple RAM users to prevent AccessKey pair leaks. For example, AccessKey pair leaks may occur if an employee resigns. We recommend that you use the AccessKey pairs of RAM users on servers. |
STS temporary AccessKey pairs | Low | Permissions that are granted based on policies | Valid until the specified validity period elapses | If you want to use STS temporary AccessKey pairs on mobile or web clients, you must deploy a server to generate STS temporary AccessKey pairs, and take appropriate actions when the temporary AccessKey pairs expire. |
Policies
To use MPS as a RAM user, you must authorize the RAM user to access MPS, and OSS. You can also authorize the RAM user to access MNS and CDN based on your business requirements. You must use a system policy to grant permissions on MPS to the RAM user. You can use a system policy or custom policy to grant permissions on other services to the RAM user.
Service | Description | Required | System policy | Custom policy |
MPS | To allow a RAM user to use MPS, you must grant full permissions on MPS to the RAM user. | Yes | Read and write permissions on MPS:AliyunMTSFullAccess | No supported |
OSS | To allow a RAM user to use MPS, you must grant the read and write permissions on OSS to the RAM user. | Yes | Read and write permissions on OSS:AliyunOSSFullAccess | Supported. For more information about how to create a custom policy and attach the custom policy to a RAM user, see the following sections. |
MNS | To use MNS to subscribe to task information, you must grant the read and write permissions on MNS to the RAM user. | No | Read and write permissions on MNS:AliyunMNSFullAccess | |
Alibaba Cloud CDN | To use Alibaba Cloud CDN to accelerate content delivery, you must grant the read and write permissions on Alibaba Cloud CDN to the RAM user. | No | Read and write permissions on Alibaba Cloud CDN:AliyunCDNFullAccess |
If the permissions that are granted based on the system policies cannot meet your requirements, you can customize authorization policies. For more information, see Create a RAM user and grant permissions to the RAM user.