All Products
Search

This Product

    Function Compute:Grant Function Compute permissions to access other Alibaba Cloud services

    Document Center

    Function Compute:Grant Function Compute permissions to access other Alibaba Cloud services

    Last Updated:Jun 19, 2023

    When Function Compute accesses other Alibaba Cloud services, you must grant the required permissions to a service in Function Compute. After the service is granted specific permissions, all functions in the service have the permissions. This topic describes how to grant Function Compute the permissions to access other Alibaba Cloud services in the Function Compute console.

    How it works

    Function Compute obtains a Security Token Service (STS) token as the temporary key by using AssumeRole based on the role configured for the service to which the function belongs. Then Function Compute passes the temporary key to the function by using the Credentials or credentials parameter in the context. This temporary key contains all resources with the permissions that you have configured. You can use it in the function code to access other Alibaba Cloud services.

    The temporary key is valid for 36 hours and cannot be modified. The maximum execution time of a function is 24 hours. Therefore, the temporary key is valid during the execution of the function.

    The location of the Credentials or credentials parameter varies with different runtimes. You can refer to the following topics. When you use a custom runtime or custom container runtime, the temporary key is injected into the header of an HTTP request.

    Default service roles in Function Compute

    When a function is executed, Function Compute needs to access other Alibaba Cloud resources. For example, Function Compute needs to write function logs to the specified Logstore in Log Service, pull images from Container Registry, or connect to virtual private clouds (VPCs) for access. To simplify authorization, Function Compute provides the default RAM role AliyunFCDefaultRole. This role has the permissions that is required by Function Compute to access specific Alibaba Cloud resources. For more information about how to create the AliyunFCDefaultRole role and how to bind the role, see Activate Function Compute. You can log on to the RAM console to view the details of the AliyunFCDefaultRole role.

    The permissions of the AliyunFCDefaultRole role are coarse-grained. You can also assign other RAM roles to services in Function Compute and attach related policies to the RAM roles to grant fine-grained permissions.

    For example, you want all functions in a service in Function Compute to have the permissions to manage OSS, but the AliyunFCDefaultRole role does not have the permissions. In this case, you must assign a RAM role to the service and attach the policy that is used to grant the permissions to manage OSS to the RAM role when you configure permissions for the service. Then, all functions in the service have the permissions to manage OSS. For more information, see Procedure.
    Important AliyunFCDefaultRole is a default system role in Function Compute. The role applies to all services. Do not attach other policies to this role. If you need to attach other policies, add a role and grant permissions to the role.

    Before you begin

    Procedure

    This example describes how to grant Function Compute permissions to access Object Storage Service (OSS).

    1. Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
    2. In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.
    3. In the Role Settings section on the Modify Service Page, perform the following operations and click Save.
      • Create a RAM role
        1. Click Create Role to go to the Roles page.
        2. On the Roles page, click Create Role to create a RAM role for a trusted Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
          Note In this example, select Function Compute from the Select Trusted Service drop-down list.
        3. Grant the new role the permissions to manages OSS. For more information, see Grant permissions to a RAM role.
      • Use an existing RAM role
        1. Select the RAM role that you want to assign from the Server Role drop-down list.
        2. If you select a role that does not have the permissions to manage OSS, you must grant the permissions to the role. For more information, see Grant permissions to a RAM role.
    4. In the left-side navigation pane, click Functions and click the desired function.
    5. On the function details page, click the Code tab, edit the function code in the code editor, and then click Deploy.
      Take a Python standard runtime as an example. You can use the temporary key provided by Function Compute to access OSS. 
      import json
import oss2

def handler(event, context):
    evt = json.loads(event)
    creds = context.credentials
    # Enter the temporary key, including the temporary token. 
    # The AccessKey pair of an Alibaba Cloud account can be used to access all API operations. Using these credentials to perform operations in Function Compute is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. 
    # We recommend that you do not save the AccessKey ID or AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources under your account may be compromised. 
    In this example, the AccessKey or AccessSecretKey is obtained from the context. 
    auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
    bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket'])
    bucket.put_object(evt['objectName'], evt['message'])
    return 'success'