All Products
Document Center


Last Updated: May 22, 2018

This section describes how to use RAM in Function Compute to access your Alibaba Cloud resources. Here is an example about how to grant correct permission to Function Compute to access OSS resources, like writes a string to a file in the OSS bucket, and reads the data from the file and returns it to user. In this example, you can learn about:

  • The definition of RAM

  • The definition of OSS

  • The steps of granting permission to Function Compute through RAM to access OSS resources


In this example, it is assumed that the function code is stored in the code directory. OSS and RAM are activated.

Using console

Create OSS bucket

In the OSS console, your own bucket is created, as shown in the following figure.

create bucket

Create Function Compute Service

Create a service named “oss_demo” and create a new role with “AliyunOSSFullAccess” policy, and click “Authorize”:CreateService

Click “Confirm authorization policy” in Role template pagegrant

Service role has been update, click “OK”.confirm

Create Function under Service

Create Function with empty template and no triggerfunction

Copy code below in online editor, replace the name of the OSS bucket in the code with your own bucket name:

  1. 'use strict';
  2. var oss = require('ali-oss').Wrapper;
  3. module.exports.handler = function(event, context, callback) {
  4. console.log('Received event:', event.toString());
  5. // Create oss client
  6. var ossclient = new oss ({
  7. // Credentials can be retrieved from context
  8. accessKeyId: context.credentials.accessKeyId,
  9. accessKeySecret: context.credentials.accessKeySecret,
  10. stsToken: context.credentials.securityToken,
  11. region: 'oss-cn-shanghai',
  12. bucket: 'ls-oss-test', // your bucket
  13. });
  14. ossclient.put('remote.txt', new Buffer('fc write ' + event.toString() + ' in oss bucket')). then(function(res) {
  15. return ossclient.get('remote.txt');
  16. }).then(function(res) {
  17. callback(null, res.content);
  18. }).catch(function(err) {
  19. callback(err);
  20. });
  21. };
  1. # -*- coding: utf-8 -*-
  2. import time, os
  3. import oss2
  4. def handler(event, context):
  5. endpoint=''
  6. creds = context.credentials
  7. auth = oss2.StsAuth(creds.access_key_id,
  8. creds.access_key_secret,
  9. creds.security_token)
  10. bucket = oss2.Bucket(auth, endpoint, 'ls-oss-test') # your bucket
  11. bucket.put_object('remote.txt' , 'fc write ' + event + ' into oss bucket')
  12. remote_stream = bucket.get_object('remote.txt')
  13. return

Click “Invoke”:result

Using fcli

Create a Function Compute role and grant permissions

Create a RAM role that has the permission to access OSS. Function Compute plays this role to use OSS resources. Run fcli shell to enter the interactive mode.

  1. mksr fc-oss-op
  2. mkrp fc-oss-gp -a '["oss:GetObject", "oss:PutObject"]' -r '"*"'
  3. attach -p /ram/policies/fc-oss-gp -r /ram/roles/fc-oss-op
  4. mks oss_demo -r acs:ram::12345:role/fc-oss-op

Replace “12345” in the last command with your own Alibaba Cloud account ID.

The preceding commands are described as follows:

  1. Create a RAM role: fc-oss-op.

  2. Create a policy for reading data from and writing data to OSS: fc-oss-gp.

  3. Assign the fc-oss-gp policy for the fc-oss-op role. In this way, the fc-oss-op role can read or write resources on OSS.

  4. Create the oss_demo service and use fc-oss-op as the service role. All functions in the oss_demo service can play as the fc-oss-op role to read data from or write data to OSS resources.

Note: In fcli shell mode, all RAM related resources are managed under the /ram/ path. For more information about RAM, see related documentation.

Create a function

Create the code directory under the current directory and create the fc_oss.js file under the code directory, copy same code into fc_oss.js andrun mkf oss_demo/fc-oss -h fc_oss.handler -d code -t nodejs6 in fcli shell to create the fc-oss function in the oss_demo service.

Call a function

Run invk oss_demo/fc-oss -s hello_oss in fcli shell. The output result “fc write hello_oss in oss bucket” is displayed. Log on to the OSS console. The remote.txt file is displayed in the corresponding bucket.

Complete example

Note: For more information about the complete shell operation video, click here. You can directly copy the commands from the video.