ApsaraVideo Media Processing (MPS) uses AccessKey pairs to authenticate the identity of a request sender and prevent unauthorized access. Learn about the basic concepts of and differences between various AccessKey pair types.
About AccessKey pairs
MPS authenticates each request using an AccessKey pair to verify the sender's identity and required permissions.
AccessKey concepts
An AccessKey pair is a credential used for Alibaba Cloud API calls. It verifies the caller's identity and permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret, which must be used together.
-
AccessKey ID: Identifies the user.
-
AccessKey secret: Authenticates the user's identity. You must keep your AccessKey secret confidential.
NoteThe AccessKey secret is displayed only when it is created and cannot be retrieved later. Keep it secure. After you create an AccessKey pair, download the CSV file or copy the information to a secure location.
AccessKey pair types
Alibaba Cloud account AccessKey pair
This is the AccessKey pair for the Alibaba Cloud account that has activated MPS. It has full permissions for all resources under the account. You can have a maximum of five AccessKey pairs, including both enabled and disabled pairs. You can log on to the AccessKey console to add or delete AccessKey pairs. Each AccessKey pair can be enabled or disabled. Only enabled AccessKey pairs can be used for identity verification.
Because an Alibaba Cloud account AccessKey pair grants full permissions, leaking it poses a high security risk. We recommend that you use a RAM user AccessKey pair instead to make API calls to MPS.
RAM user AccessKey pair
Resource Access Management (RAM) is an Alibaba Cloud service for access control. RAM lets you centrally manage your users, such as employees, systems, or applications, and control the resources they can access.
A RAM user AccessKey pair is granted permissions through RAM and can access MPS only within those granted permissions. Each RAM user can have up to two AccessKey pairs, which can be enabled or disabled. RAM users belong to an Alibaba Cloud account and do not own any resources. All resources belong to the Alibaba Cloud account. You can log on to the RAM console to create RAM users and grant permissions. For more information, see Create a RAM user and grant permissions.
STS temporary AccessKey pair
Security Token Service (STS) is an Alibaba Cloud service that provides temporary access credentials. An STS temporary AccessKey pair is issued by STS with a limited validity period. It can access MPS resources only within the permissions granted by STS and automatically expires after a specified period. You can log on to the RAM console to create a RAM role and grant STS authorization.
Comparison of verification methods
|
Verification method |
Risk |
Permissions |
Validity |
Scenarios |
|
Alibaba Cloud account AccessKey pair |
Very high |
Permissions to manage and operate all MPS resources |
Permanently valid after being enabled |
For super administrator operations only. Do not use it in programs, especially on the client side. |
|
RAM user AccessKey pair |
Larger |
Permissions granted based on authorization policies |
Permanently valid after being enabled |
Suitable for authorizing specific operations such as transcoding and snapshotting. You can create multiple RAM users. If an AccessKey pair is leaked, for example, when an employee leaves, you must replace it. Use this on the server side. |
|
STS temporary AccessKey pair |
Security |
Permissions granted based on authorization policies |
Custom expiration time |
Suitable for mobile or web clients. You must deploy a server to generate STS temporary AccessKey pairs and handle expiration. |
Access policy details
To use MPS, you must grant permissions for MPS and OSS. You can also grant permissions for Simple Message Queue (formerly MNS) and Alibaba Cloud CDN. You must use a system policy to grant permissions for MPS. For other services, you can use a system policy or a custom policy.
Required products | Description | Required | System policy | Custom policy |
ApsaraVideo Media Processing (MPS) | To use MPS, you must grant all permissions for MPS. | Yes | Full read and write permissions for MPS: AliyunMTSFullAccess | Not supported |
Object Storage Service (OSS) | To use MPS, you must grant read and write permissions for OSS. | Yes | Full read and write permissions for OSS: AliyunOSSFullAccess | Supported. Create the policy first, and then grant the permissions. |
Simple Message Queue (formerly MNS) | If you use Simple Message Queue (formerly MNS) to subscribe to tracking tasks, you must grant permissions for MNS. | No, optional | Full read and write permissions for MNS: AliyunMNSFullAccess | |
CDN Playback Acceleration | If you use MPS to configure CDN for accelerated playback, you must grant permissions for CDN. | No, optional | Full read and write permissions for CDN: AliyunCDNFullAccess |
If system policies do not meet your needs, you can create a custom policy. For more information, see Create a RAM user and grant permissions.