Help Center/ Live/ Cloud Live/ Using IAM to Grant Access to Live/ Using IAM Identity Policies to Grant Access to Live
Updated on 2026-02-25 GMT+08:00
View PDF
Share

Using IAM Identity Policies to Grant Access to Live

System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to Live. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Live resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your Live resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process of identity policy-based authorization.

Prerequisites

Before assigning permissions, learn about the system-defined permissions in Identity Policy-based Authorization for Live. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting Live permissions
  1. On the IAM console, create an IAM user or create a user group.

    Create a user or user group on the IAM console.

  2. Attach a system-defined identity policy to the user or user group.

    Attach the LiveReadOnlyPolicy system-defined identity policy to the user or user group.

  3. Logging in as the IAM user and verifying permissions

    In the authorized region, perform the following operations:

    • Choose Live in Media Services under All Services. On the Live console, choose Domains in the navigation pane to add a domain name. If a message is displayed indicating insufficient permissions for performing the operation, the LiveReadOnlyPolicy policy has taken effect.
    • Choose another service. If a message is displayed indicating insufficient permissions for performing the operation, the LiveReadOnlyPolicy policy has taken effect.

Example Custom Identity Policies

You can create custom identity policies to supplement the system-defined identity policies of Live. See actions supported by identity policy-based authorization.

To create a custom identity policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

Examples of common Live custom identity policies:

  • Example 1: Assigning a user all permissions for Live 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "live:*:*",
                "eps:enterpriseProjects:list",
                "smn:topic:listTopic",
                "billing:contract:viewDiscount",
                "billing:coupon:update"
            ]
        }
    ]
}
  • Example 2: Assigning a user the read-only permission for Live 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "live:*:get*",
                "live:*:list*",
                "eps:enterpriseProjects:list",
                "smn:topic:listTopic",
                "billing:contract:viewDiscount"
            ]
        }
    ]
}
  • Example 3: Creating a custom identity policy containing multiple actions

    A custom identity policy can contain the actions of one or more services.

    Example identity policy containing multiple actions:

    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "live:domain:createDomain"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "smn:topic:create"
            ]
        }
    ]
}