If you want to access other Alibaba Cloud services in an individual development environment in DataWorks, you must configure an AccessKey pair for identity authentication. If you associate a RAM role with the individual development environment, you can access other Alibaba Cloud services in the individual development environment by using a temporary access credential provided by Security Token Service (STS). You do not need to configure a long-term AccessKey pair. This helps reduce security risks that are caused by AccessKey pair leaks. This topic describes how to obtain a temporary access credential provided by STS by using a RAM role.
Background information
You can create a RAM role whose trusted entity is an Alibaba Cloud service. The Alibaba Cloud service can assume the RAM role to implement cross-service access. For information about RAM roles, see RAM role overview.
You can obtain a temporary access credential by using the RAM role to implement identity authentication and access control. This method has the following benefits:
Security and confidentiality
If you use a temporary access credential provided by STS for access, you do not need to configure a long-term AccessKey pair or manage credentials in your individual development environment. This helps reduce security risks that are caused by AccessKey pair leaks.
Limits
You can associate only one RAM role with an individual development environment.
Step 1: Associate a RAM role with an individual development environment
Scenario 1: Associate the default role of DataWorks with an individual development environment
If you use Notebook or Python to perform data development operations in DataWorks, you do not need to configure an AccessKey pair to access specific Alibaba Cloud services.
The default role of DataWorks has permissions to access MaxCompute, Hologres, EMR Serverless Spark, Realtime Compute for Apache Flink, and Platform for AI (PAI). When you access the preceding services by using the temporary access credential issued based on the default role of DataWorks, you obtain the permissions of the owner of an individual development environment.
If you associate the default role of DataWorks with an individual development environment, you do not need to create a RAM role. In addition, you can obtain a temporary access credential that allows you to access basic development resources in the individual development environment.
After you associate the default role of DataWorks with an individual development environment, you do not need to configure an AccessKey pair when you perform the following operations:
Use an SQL cell of Notebook to access MaxCompute, Hologres, EMR Serverless Spark, Realtime Compute for Apache Flink, or PAI.
Use MaxCompute SDK to submit a task to a MaxCompute project on which the owner of the individual development environment has execution permissions.
Scenario 2: Do not associate a RAM role with an individual development environment
If your individual development environment is set to be public in the workspace, we recommend that you do not associate a RAM role with the environment. This can prevent permission leaks. When you create an individual development environment or change the configurations of an individual development environment, you can set the RAM Role parameter in the Advanced Information section to Do Not Associate Role.
If you do not associate any RAM role with the individual development environment, you can configure an AccessKey pair in code to access other Alibaba Cloud services.
Step 2: Obtain a temporary access credential based on the RAM role associated with the individual development environment
You can use one of the following methods to obtain a temporary access credential in the individual development environment with which a RAM role is associated.
Method 1: Use the Alibaba Cloud Credentials tool
The Alibaba Cloud Credentials tool calls the local service that is automatically injected when you create an individual development environment to obtain a temporary access credential provided by STS. The credential is updated on a regular basis.
To use the Credentials tool to obtain an access credential for the RAM role, run the following command to install the Alibaba Cloud Credentials tool. Sample command in Python:
pip install alibabacloud_credentialsThe following sample code provides an example on how to use the Credentials tool. For more information about SDK examples in other programming languages, see Best practices for using an access credential to call API operations.
from alibabacloud_credentials.client import Client as CredClient
from alibabacloud_credentials.models import Config as CredConfig
credentialsConfig = CredConfig(
type='credentials_uri' # Optional. If you did not configure other access methods for the default credential chain, you do not need to explicitly·configure this parameter. The Credentials SDK obtains a temporary access credential by using the URI.
)
credentialsClient = CredClient(CredConfig)
Method 2: Access the local service of the individual development environment
In the individual development environment, you can run the following command on the terminal to access the local service that is injected to obtain a temporary access credential:
# Obtain a temporary access credential for the RAM role.
curl $ALIBABA_CLOUD_CREDENTIALS_URIThe following code shows a sample response. Parameters:
SecurityToken: the temporary token of the RAM role
Expiration: the expiration time of the temporary access credential for the RAM role
{
"Code": "Success",
"AccessKeyId": "STS.N*********7",
"AccessKeySecret": "3***************d",
"SecurityToken": "DFE32G*******"
"Expiration": "2024-05-21T10:39:29Z"
}Method 3: Access the local file of the individual development environment
You can access the file in the specified path of the individual development environment to obtain the temporary access credential. The path of the file is /mnt/.alibabacloud/credentials. The following code provides an example of the file content:
{
"AccessKeyId": "STS.N*********7",
"AccessKeySecret": "3***************d",
"SecurityToken": "DFE32G*******"
"Expiration": "2024-05-21T10:39:29Z"
}Step 3: Access MaxCompute by using the RAM role associated with the individual development environment
Run the following commands to install the Credentials tool and MaxCompute SDK:
# Install the Credentials tool. pip install alibabacloud_credentials # Install MaxCompute SDK. pip install odpsUse the temporary access credential of the RAM role to access MaxCompute and obtain the table list of a specific project.
from alibabacloud_credentials import providers from odps.accounts import CredentialProviderAccount from odps import ODPS if __name__ == '__main__': account = CredentialProviderAccount(providers.DefaultCredentialsProvider()) o = ODPS( account=account, project="{odps_project}", # Replace the value with the name of the project that you want to access. endpoint="{odps_endpoint}"# Replace the value with the endpoint of the region in which the project resides. ) for t in o.list_tables(): print(t)