After creating roles, you can use STS to grant RAM users temporary permissions to access Table Store.

Prerequisites

You have completed the operations described in Create a temporary role and grant permissions.

Step 1: Authorize a RAM user account to assume roles

Before using STS to authorize access, you must authorize the RAM user account to assume roles. Unpredictable risks may occur if any RAM user account could assume these roles. Therefore, a RAM user account must have explicitly configured permissions to assume the corresponding role. To create two custom authorization policies and assign them to the RAM user account ram_test_app, perform the following steps:

  1. Create two custom authorization policies:
    Note For more information about how to create custom authorization policies, see Create a custom policy.
    • AliyunSTSAssumeRolePolicy2016011401
      {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "acs:ram:198***237:role/ramtestappreadonly"
          }
      ]
      }
      								
    • AliyunSTSAssumeRolePolicy2016011402
      {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "acs:ram:198***237:role/ramtestappwrite"
          }
      ]
      }
      								
  2. Assign the two policies to the RAM user account ram_test_app.
    Note For more information, see Grant permissions to a RAM user.

Step 2: Use STS for authorized access

After authorizing roles for a RAM user account, you can use STS for authorized access. You must download the required Python command line tool of STS from sts.py.

The call method is as follows. For more information about the parameters, see API References (STS).

$python ./sts.py AssumeRole RoleArn=acs:ram::198***237:role/ramtestappreadonly RoleSessionName=usr001 Policy='{"Version":"1","Statement":[{"Effect":"Allow","Action":["ots:ListTable","ots:DescribeTable"],"Resource":["acs:ots:*:*:ram-test-app","acs:ots:*:*:ram-test-app/*"]}]}' DurationSeconds=1000 --id=id --secret=secret          

Parameters:

Parameter Description
RoleArn The ID of the role to be assumed. You can log on to the RAM console. On the Role Management page, click Manage in the Actions column corresponding to a role name. On the Basic Information page of the role, find the Arn.
RoleSessionName The name of a temporary credential. We recommend that you use different application users to distinguish credentials.
Policy The permissions added when a role is assumed.
Note The added policy is used to control the permissions of the temporary credential after the role is assumed. The permissions obtained by the temporary credential are restricted by both the role and the added policy. When a role is assumed, a policy can be added to further control the permissions. For example, when uploading files, you can add a policy to control upload paths for different users.
DurationSeconds The validity period of the temporary credential. Unit: seconds. Valid values: 900 to 3600.
id and secret The AccessKey ID and AccessKey secret of the RAM user account to assume a role.

Test STS

Create a table named test_write_read and specify the name column as the primary key and of the string type in the Table Store console. Then, use the CLI tool to test the read and write operations on Table Store.

Use the RAM user account ram_test_app to access Table Store. Replace the AccessKey pair in the following example with your own AccessKey pair for testing.

python2.7 ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id <yourAccessKeyId> --key <yourAccessKeySecret>
You cannot access the instance!
ErrorCode: OTSNoPermissionAccess
ErrorMessage: You have no permission to access the requested resource, please contact the resource owner.        

The access failed because the RAM user account ram_test_app does not have permissions to access the resources.

Use temporary permissions to read and write data as well as accessing the console

  • Use the temporary permission to write data

    Use STS to write data. In this example, the added policy is the same as that of the role. The default value 3600 of DurationSeconds is used, and SessionName is set to session001. Perform the following steps:

    1. Use STS to obtain a temporary credential.
      python2.7 ./sts.py AssumeRole RoleArn=acs:ram::198***237:role/ramtestappwrite RoleSessionName=session001 Policy='{"Statement": [{"Effect": "Allow","Action": ["ots:Create*","ots:BatchWrite*","ots:Put*","ots:Insert*","ots:Update*","ots:Delete*"],"Resource": ["acs:ots:*:*:instance/ram-test-app","acs:ots:*:*:instance/ram-test-app/table/*"]}],"Version": "1"}' --id=<yourAccessKeyId> --secret=<yourAccessKeySecret>
      {
      "AssumedRoleUser": {
          "Arn": "acs:ram::198***237:role/ramtestappwrite/session001", 
          "AssumedRoleId": "33062905274959****:session001"
      }, 
      "Credentials": {
          "AccessKeyId": "***", 
          "AccessKeySecret": "***"
          "SecurityToken": "CAE****0ZQ=="
      }, 
      "RequestId": "5F92B248-F200-40F8-A05A-C9C7D018E351"
      }
      							
    2. Use the CLI tool to write data. The token parameter will be supported in the upcoming V1.2.
          python2.7 ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id <yourAccessKeyId> --key <yourAccessKeySecret> --token=CAE****0ZQ==
      
          OTS-TableStoreTest>$ put test_write_read '001' age:integer=30
          A new row has been put in table test_write_read
      							
  • Use the temporary permission to read data

    Use STS to read data. In this example, the added policy is the same as that of the role. The default value 3600 of DurationSeconds is used, and SessionName is set to session002. Perform the following steps:

    1. Use STS to obtain a temporary credential.
      python2.7 ./sts.py AssumeRole RoleArn=acs:ram::198***237:role/ramtestappreadonly RoleSessionName=session002 Policy='{"Statement": [{"Effect": "Allow","Action": ["ots:BatchGet*","ots:Describe*","ots:Get*","ots:List*"],"Resource": ["acs:ots:*:*:instance/ram-test-app","acs:ots:*:*:instance/ram-test-app/table/*"]}],"Version": "1"}' --id=6iT***lRt --secret=****
      {
      "AssumedRoleUser": {
          "Arn": "acs:ram::198***237:role/ramtestappreadonly/session002",
          "AssumedRoleId": "396025752746614078:session002"
      },
      "Credentials": {
          "AccessKeyId": "***",
          "AccessKeySecret": "***",
          "Expiration" : "2017-06-09T09:17:19Z",
          "SecurityToken": "CAE****seQ=="
      }, 
      "RequestId": "EE788165-B760-4014-952C-E58ED229C80D"
      }
      							
    2. Use the CLI tool to read data. The token parameter will be supported in the upcoming V1.2.
          python2.7 ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id STS***Q8Q --key **** --token=CAE****Q==
      
          OTS-TableStoreTest>: get test_write_read '001'
          age:INTEGER='30'
      							
  • Use the temporary permission to access the console

    STS temporary authorization allows you to use RAM user accounts to log on to the Table Store console and manage and view instances and table resources under the Alibaba Cloud account. In the preceding example, the RAM user account ram_test_app can assume the role RamTestAppReadOnly and have the corresponding permissions to view all instances and tables. Perform the following steps to log on to the console:

    1. Log on to the RAM console with an Alibaba Cloud account.
    2. Log on to the RAM console with an Alibaba Cloud account and go to the Overview page.
    3. Click the link below Account Management. On the RAM User Logon page, set RAM User Name and Password.
    4. After you log on to the console, move the pointer over the username in the upper-right corner. In the message that appears, click Switch Role.
    5. On the Switch Role page that appears, enter an enterprise alias and a role name to which you want to switch. Click Switch.

Step 4: Use the temporary permission to call the JAVA SDK

Create an OTSClient object and add the AccessKeyId, AccessKeySecret, and Token parameters of the STS Token as shown in the following example:

OTSClient client = new OTSClient(otsEndpoint, stsAccessKeyId, stsAccessKeySecret, instanceName, stsToken);