All Products
Search

This Product

    Object Storage Service:Permissions

    Document Center

    Object Storage Service:Permissions

    Last Updated:Mar 20, 2026

    When a RAM user accesses Intelligent Media Management (IMM) data processing capabilities through OSS, two entities need authorization: the RAM user that makes the call, and the IMM service role that performs the processing. This topic describes the four permission grants required and provides ready-to-use policy examples.

    Permission overview

    IMM capabilities are accessed through the x-oss-process parameter (synchronous) or the x-oss-async-process parameter (asynchronous) on OSS API calls. Because the call passes through OSS before reaching IMM, both services must authorize the RAM user. IMM also needs its own service role to read input from OSS, write output, and send notifications.

    The four required grants are:

    1. Grant the RAM user OSS permissions — to read objects and invoke IMM operations via OSS.

    2. Grant the RAM user IMM permissions — to call the IMM APIs that correspond to the operations you use.

    3. Grant the IMM service role access to OSS and other services — so IMM can read input, write output, and send notifications to Simple Message Queue (SMQ).

    4. Grant the IMM service role permissions for batch processors and triggers — required only if you use batch processing or event-driven processing.

    Grant OSS permissions to the RAM user

    The RAM user calling x-oss-process or x-oss-async-process needs at minimum two OSS permissions. For full OSS access, attach the AliyunOSSFullAccess system policy. For least-privilege access, create a custom policy using the permissions in the following table.

    PermissionRequiredDescription
    oss:GetObjectYesRead objects from OSS
    oss:ProcessImmYesInvoke IMM data processing operations via OSS
    oss:PostProcessTaskNoSubmit asynchronous processing tasks using x-oss-async-process
    oss:PutObjectNoUpload objects to OSS; required when saving output with sys/saveas
    oss:PostProcessTask is required only for asynchronous calls (x-oss-async-process). Synchronous calls (x-oss-process) do not need it.

    For instructions on attaching policies to a RAM user, see Grant permissions to a RAM user.

    Grant IMM permissions to the RAM user

    For full IMM access, attach the AliyunIMMFullAccess system policy. For least-privilege access, use a custom policy that includes only the IMM permissions corresponding to the operations you use.

    The following table maps each IMM operation to its required permission.

    OperationDescriptionRequired permission
    image/croppingAutomatically crop an imageimm:DetectImageCropping
    image/facesDetect faces in an imageimm:DetectImageFaces
    video/convertTranscode a videoimm:CreateMediaConvertTask
    video/animationCreate an animated image from a videoimm:CreateMediaConvertTask
    video/spriteGenerate a sprite from a videoimm:CreateMediaConvertTask
    video/snapshotsCapture frames from a videoimm:CreateMediaConvertTask
    video/concatMerge videosimm:CreateMediaConvertTask
    video/infoExtract video metadataimm:DetectMediaMeta
    audio/convertTranscode an audio fileimm:CreateMediaConvertTask
    audio/concatMerge audio filesimm:CreateMediaConvertTask
    audio/infoExtract audio metadataimm:DetectMediaMeta
    doc/convertConvert a document to another formatimm:CreateOfficeConversionTask
    doc/editEdit a documentimm:GenerateWebofficeToken
    doc/previewPreview a documentimm:GenerateWebofficeToken
    doc/snapshotCreate a document thumbnailimm:CreateOfficeConversionTask
    pointcloud/compressCompress a point cloud fileimm:CreateCompressPointCloudTask
    hls/m3u8Generate a video playlistimm:GenerateVideoPlaylist
    hls/tsCreate a live transcoding taskimm:LiveTranscoding

    PassRole requirement

    To process data in an OSS bucket, you must bind the bucket to an IMM project. When you create an IMM project, you must specify a service role, and the RAM user or RAM role must have permission to pass that service role to IMM.

    The default service role is AliyunIMMDefaultRole. When no other service role is specified, IMM uses this role automatically. Add the following statement to the RAM user's policy to grant PassRole permission:

    {
  "Effect": "Allow",
  "Action": "ram:PassRole",
  "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
}

    Grant IMM access to OSS and other services

    IMM requires access to OSS to read input objects and write output, and access to SMQ to send processing notifications. The AliyunIMMDefaultRole service role covers these permissions by default.

    To narrow the permissions, create a custom service role with only the access IMM needs, and specify it when you create the IMM project. For details, see Configure a service role for a project.

    Grant permissions for batch processors and triggers

    Batch processors and triggers require IMM to access OSS on your behalf. The default service role for this scenario is AliyunIMMBatchTriggerRole.

    If the role does not exist in your account, create it on the Cloud Resource Access Authorization page.

    Examples

    Grant full access

    Important

    The following policy grants full access to all OSS and IMM resources. Use it only for development and testing. For production, create a custom policy that grants only the permissions your application needs.

    The following policy allows a RAM user to use all IMM data processing operations from OSS:

    {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "oss:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "imm:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
        }
    ],
    "Version": "1"
}

    Grant permissions for specific operations

    The following policy grants a RAM user access to document processing operations (doc/convert, doc/edit, doc/preview, doc/snapshot) on two specific buckets:

    {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:PutObject",
                "oss:PostProcessTask",
                "oss:ProcessImm"
            ],
            "Resource": [
                "acs:oss:*:*:bucketname1/*",
                "acs:oss:*:*:bucketname2/*"
            ]
        },
        {
            "Action": [
                "imm:CreateOfficeConversionTask",
                "imm:GetWebofficeURL"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
        }
    ],
    "Version": "1"
}

    Grant permissions for batch processors and triggers

    The following policy grants the IMM service role the OSS permissions required to run batch processors and triggers:

    {
    "Statement": [
        {
            "Action": [
                "oss:Get*",
                "oss:List*",
                "oss:Process*",
                "oss:PostProcess*",
                "oss:Put*",
                "oss:PutBucketInventory",
                "oss:GetBucketInventory",
                "oss:ListBucketInventory",
                "oss:DeleteBucketInventory",
                "oss:PutBucketNotification",
                "oss:DeleteBucketNotification",
                "oss:StartEventRecord",
                "oss:StopEventRecord",
                "oss:GetEventRecordStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}