A RAM user is an identity in Resource Access Management (RAM). You can create RAM users under your Alibaba Cloud account and grant them permissions to control their access to your cloud resources.
Prerequisites
You have registered an Alibaba Cloud account and completed identity verification. For the registration page, see Alibaba Cloud official website. For registration instructions, see Create an Alibaba Cloud account. For identity verification instructions, see Individual identity verification or Enterprise identity verification.
Procedure
Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the
icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the parameters.
Click OK and complete the phone verification. The system automatically generates an AccessKey pair for the RAM user.
In the Actions column, click Copy to save the logon name, password, and AccessKey information of the user.
ImportantMake sure to save the logon password and AccessKey information (AccessKey ID and AccessKey Secret). Otherwise, you will not be able to retrieve them later.
Return to the user list. In the Actions column of the created RAM user, click Add Permissions.
On the Add Permissions page, configure the authorization information.
Select the authorization scope.
For Resource Scope, select Account Level. Intelligent Media Service (IMS) does not support authorization by resource group. For more information about resource groups, see Differences and relationships between resource directories, resource groups, and tags.
- Specify the principal. The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
Select permission policies.
Use system policies
In the search box under System Policy, enter AliyunICE and select a policy based on your needs.
Policy
Description
API operation
AliyunICEFullAccess
Permissions to manage and operate all IMS resources
This policy grants permissions on all operations of IMS.
AliyunICEReadOnlyAccess
Read-only permissions on all IMS resources
This policy grants permissions on all read-only operations of IMS, such as Get, Describe, Search, and List operations.
Use custom policies
Under Custom Policy, select a policy based on your needs. If no custom policy is available, you can create one. For more information, see Create a custom permission policy and Custom policy examples.
NoteYou can add up to five policies at a time. To add more, repeat the operation.
To control risks, we recommend that you follow the principle of least privilege.
If you need to use the IMS server-side SDK for iOS or Android, you must also grant OSS permissions because files need to be uploaded to OSS. You can grant the
AliyunOSSFullAccesspermission or customize an OSS permission policy based on your needs.
Click Add Authorization to grant permissions to the user.
Optional: If the RAM user needs to log on to the console, see Manage logon settings for a RAM user.
Custom policy examples
This topic uses "granting read-only permissions on some IMS resources" as an example to describe the parameters. Other policy examples are similar and not described.
Grant read-only permissions on some IMS resources
{ "Version": "1", "Statement": [ { "Action": [ "ice:GetMediaProducingJob", "ice:GetEditingProject", "ice:GetMediaInfo", "ice:ListMediaBasicInfos", "ice:SearchEditingProject" ], "Resource": "*", "Effect": "Allow", "Condition": { "IpAddress": { "acs:SourceIp": "192.168.0.1" } } } ] }Parameter descriptions:
Parameter
Required
Description
Version
Yes
The version of the policy. The value is fixed to 1 for IMS.
Statement
Yes
Contains one or more statements that describe the actions, resources, effects, and conditions based on your business scenarios.
Action
Yes
The supported actions correspond to API operations in the
ice:API nameformat. Separate multiple actions with commas. You can combine permissions by specifying a list of actions. For all available actions, see API overview.Resource
Yes
A specific resource or a set of resources (wildcard
*supported) of IMS. The format isacs:ice:<regionId>:<accountId>:*. You can also specify a list of resources. TheregionIdfield is not supported yet. Set it to*. Because IMS does not distinguish between resources, we recommend that you set Resource to*oracs:ice:*:*:*when authorizing media library resources.Effect
Yes
The authorization effect can be either
AlloworDeny. When a request is made, the system sequentially evaluates each statement. A request is allowed only if all matching statements have anEffectofAllow. A request is denied if any matching statement has anEffectofDeny, or if no statements match.ImportantIf a policy contains both
AllowandDeny, theDenystatement takes precedence.Condition
No
The conditions for the policy to take effect. You can restrict access sources. For more information, see Condition.
Grant read-only permissions on all IMS resources
{ "Version": "1", "Statement": [ { "Action": [ "ice:Get*", "ice:List*", "ice:Search*", "ice:Describe*" ], "Resource": "acs:ice:*:*:*", "Effect": "Allow" } ] }Grant full permissions (including write permissions) on IMS
{ "Statement": [ { "Effect": "Allow", "Action": "ice:*", "Resource": "acs:ice:*:*:*" } ], "Version": "1" }
Next steps
After you obtain the AccessKey information, you can install the server-side SDK and call API operations to implement your business features. For more information, see Call API operations.