Help Center/ Live/ Cloud Live/ Using IAM to Grant Access to Live/ Using IAM Roles or Policies to Grant Access to Live
Updated on 2026-01-09 GMT+08:00
View PDF

Using IAM Roles or Policies to Grant Access to Live

System-defined permissions in provided by let you control access to Live. With IAM, you can:

  • Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Live resources
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust or a cloud service to perform efficient O&M on your Live resources.

If your does not require individual IAM users, you can skip this session.

Figure 1 shows the process of role/policy-based authorization.

Notes

  • You need to submit a service ticket to apply for role/policy-based authorization in either of the following cases:
    • You had created domain names in the AP-Singapore region before March 1, 2022.
    • You had created domain names in the CN North-Beijing4 region before March 16, 2022.

      After is enabled, unauthorized cannot call Live APIs. To gain access, they must be granted the corresponding Live permissions.

  • After assigning an IAM user the Live FullAccess permissions, you need to assign the user the following Cloud Eye permissions to monitor metrics of Live:
    • To authorize Live console access through a custom policy instead of the system-defined policies Live FullAccess and Live ReadOnlyAccess, the permission live:tenant:getTenantInformation must be included in the custom policy.
    • After assigning an IAM user the Live FullAccess permission, you need to assign the user the following Cloud Eye permissions to monitor metrics of Live:
      • CES ReadOnlyAccess: On the Cloud Eye console, choose Cloud Service Monitoring > Live to view resource monitoring metrics of Live.
      • CES FullAccess: On the Cloud Eye console, choose Cloud Service Monitoring > Live to view resource monitoring metrics of Live and perform operations.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in for Live. To grant permissions for other services, learn about all "" supported by IAM.

Process Flow

Figure 1 Process of granting Live permissions
  1. On the IAM console, create a user group and grant it permissions

    Create a user group on the IAM console and assign it the Live ReadOnlyAccess policy.

  2. Create an IAM user and add it to the created user group.

    Create a user on the IAM console and add the user to the user group created in 1.

  3. Log in as the IAM user and verify permissions.

    Log in to the console as the created user, and select an authorized region to verify permissions.

    • Choose Service List > Live. On the Live console, choose Domains in the navigation pane and click Add Domain. If a message is displayed indicating that you have insufficient permissions to perform the operation, the Live ReadOnlyAccess policy is in effect.
    • Choose another service from Service List. If a message is displayed indicating that you have insufficient permissions to access the service, the Live ReadOnlyAccess policy is in effect.

Example Custom Policies

You can create custom policies to supplement the system-defined policies of Live. For details about the actions supported by custom policies, see .

To create a custom policy, choose either visual editor or JSON:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.
  • JSON: Create a JSON policy or edit an existing one.

For details, see . Examples of common Live custom policies:

  • Example 1: Assigning a user all permissions for Live 
    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "live:*:*"
                        ]
                }
        ]
}
  • Example 2: Assigning a user the read-only permission for Live 
    {
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "live:*:get*",
                                "live:*:list*"
                        ]
                }
        ]
}
  • Example 3: Denying Live domain name deletion

    A policy with only "Deny" permissions must be used with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    Assume that you want to assign a user the permissions of the Live FullAccess policy but do not want them to delete Live domain names. You can create a custom policy for denying Live domain name deletion, and attach this policy together with the Live FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on Live resources except for deleting Live domain names.

    Example of "Deny" permissions:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "live:domain:deleteDomain"
            ]
        }
    ]
}
  • Example 4: Creating a custom policy containing multiple actions

    A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).

    Example policy containing multiple actions:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "live:domain:createDomain"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "smn:topic:create"
            ]
        }
    ]
}