Use case

Last Updated: Nov 14, 2017

This sections explains safe practices when configuring a subaccount to for authentication processes. Assume your Alibaba Account has no subaccount, and you need to replace the default AccessKey with your own AccessKey.

CLI can be used to read and write data through command lines directly, and is used in the following sections.

Prerequisites

  1. Download Table Store CLI Took Kit.

  2. Install and configure Table Store CLI tool as follows.

  1. Install dependency : python onekey_INSTALL.py
  2. Configure parameter: python ots_console --url https://<InstanceName>.cn-hangzhou.ots.aliyuncs.com --id <AccessID> --key <AccessKey>
  3. Execute command : for example, ct pk1:string,pk2:integer readrt:1 writert:1

For more information, see the help documentation in the CLI toolkit.

Create a subaccount

Assume you have a Table Store instance named ram-test-dev.

You need to ensure that you have stopped using the primary account to access this instance, in order to avoid problems caused by AccessKey and password exposure.

Procedure

  1. Activate the Resource Access Management service.

  2. Log on to the RAM console with the primary account.

  3. Click Users in the left-side navigation pane.

  4. Click Create User to create a subaccount with the same Table Store access permissions as the primary account.

  5. Click OK, and the AccessKey for the new user ram_test is generated.

  6. Save the AccessKey information.

  7. Click Authorize to grant the subaccount full access permissions for Table Store.

    authorization

    authorization2

  8. (Optional) Click Manage to grant the account console logon or other permissions.

Example

In this example, the AccessKey is for ram_test. In actual scenarios, replace it with your own AccessKey.

  1. $python ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id VPIzjuDB6T4FGoWM --key r1usnIQ4Tw1yI6bNJkKay6A8EJoMvs
  2. $OTS-TableStoreTest>: ct test pk1:string,pk2:integer readrt:1 writert:1
  3. Table test has been created successfully.
  4. $OTS-TableStoreTest>: dt test
  5. You will delete the table:test!
  6. press Y (confirm) :Y
  7. Table test has been deleted successfully.

The ram_test subaccount can be used for all general operations, so as to avoid exposing the AccessKey of the primary account.

Read/write permission separation

To share data of an instance in Table Store without data modification, you can separate read/write permission by creating a subaccount with read-only permission.

Create an account named ram_test_pub. Select ReadOnly on the Edit User-Level Authorization page to grant the subaccount ReadOnly access permission for Table Store.

create user

read only

Example

Use the AccessKey of the subaccount to test the permissions of creating and deleting a table. In this example, the AccessKey is for ram_test_pub. In actual scenarios, replace it with your own AccessKey.

  1. $python ots_console --url https://TableStoreTest.cn-hangzhou.ots.aliyuncs.com --id ftWyMEYu1rBYTbWM --key u4qR5IGu5xJsvSO1y8moyC6n5vA7af
  2. $OTS-TableStoreTest>: ct test pk1:string,pk2:integer readrt:1 writert:1
  3. Fail to create table test.
  4. $OTS-TableStoreTest>: dt test
  5. You will delete the table:test!
  6. press Y (confirm) :Y
  7. Fail to delete table test.

Note: The ram_test_pub subaccount cannot be used to create and delete a table.

Thank you! We've received your feedback.