When Function Compute accesses other Alibaba Cloud services, you must grant the required permissions to a service in Function Compute. After the service is granted specific permissions, all functions in the service have the permissions. This topic describes how to grant Function Compute the permissions to access other Alibaba Cloud services in the Function Compute console.
How it works
Function Compute obtains a Security Token Service (STS) token as the temporary key by using AssumeRole based on the role configured for the service to which the function belongs. Then Function Compute passes the temporary key to the function by using the Credentials or credentials parameter in the context. This temporary key contains all resources with the permissions that you have configured. You can use it in the function code to access other Alibaba Cloud services.
The temporary key is valid for 36 hours and cannot be modified. The maximum execution time of a function is 24 hours. Therefore, the temporary key is valid during the execution of the function.
Default service roles in Function Compute
When a function is executed, Function Compute needs to access other Alibaba Cloud resources. For example, Function Compute needs to write function logs to the specified Logstore in Log Service, pull images from Container Registry, or connect to virtual private clouds (VPCs) for access. To simplify authorization, Function Compute provides the default RAM role AliyunFCDefaultRole. This role has the permissions that is required by Function Compute to access specific Alibaba Cloud resources. For more information about how to create the AliyunFCDefaultRole role and how to bind the role, see Activate Function Compute. You can log on to the RAM console to view the details of the AliyunFCDefaultRole role.
The permissions of the AliyunFCDefaultRole role are coarse-grained. You can also assign other RAM roles to services in Function Compute and attach related policies to the RAM roles to grant fine-grained permissions.
Before you begin
Procedure
This example describes how to grant Function Compute permissions to access Object Storage Service (OSS).
- Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
- In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.
- In the Role Settings section on the Modify Service Page, perform the following operations and click Save.
- Create a RAM role
- Click Create Role to go to the Roles page.
- On the Roles page, click Create Role to create a RAM role for a trusted Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service. Note In this example, select Function Compute from the Select Trusted Service drop-down list.
- Grant the new role the permissions to manages OSS. For more information, see Grant permissions to a RAM role.
- Use an existing RAM role
- Select the RAM role that you want to assign from the Server Role drop-down list.
- If you select a role that does not have the permissions to manage OSS, you must grant the permissions to the role. For more information, see Grant permissions to a RAM role.
- Create a RAM role
- In the left-side navigation pane, click Functions and click the desired function.
- On the function details page, click the Code tab, edit the function code in the code editor, and then click Deploy. Take a Python standard runtime as an example. You can use the temporary key provided by Function Compute to access OSS.
import json import oss2 def handler(event, context): evt = json.loads(event) creds = context.credentials # Enter the temporary key, including the temporary token. # The AccessKey pair of an Alibaba Cloud account can be used to access all API operations. Using these credentials to perform operations in Function Compute is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. # We recommend that you do not save the AccessKey ID or AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources under your account may be compromised. In this example, the AccessKey or AccessSecretKey is obtained from the context. auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token) bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket']) bucket.put_object(evt['objectName'], evt['message']) return 'success'