Function Compute:Grant Function Compute permissions to access other Alibaba Cloud services

How it works

Based on the function role, Function Compute uses AssumeRole to obtain a Security Token Service (STS) token as the temporary key. It then passes the temporary key to the function by using the Credentials or credentials parameter in the context. This temporary key contains all the resources for which the function has been granted permissions. You can use it in your function code for Function Compute to access other Alibaba Cloud services.

The temporary key is valid for 36 hours and cannot be modified. The maximum duration allowed to execute a function is 24 hours. Therefore, the temporary key remains valid during the execution of the function.

Example: Grant Function Compute permissions to access OSS

In this example, Function Compute is granted permissions to manage Object Storage Service (OSS) resources. If you want to grant a specific function permissions to manage OSS resources, you can bind the corresponding role to the function.

Prerequisites

Function creation is completed. For more information, see Create a function.

Procedure

1. Log on to the Function Compute console. In the left-side navigation pane, click Functions.

2. In the top navigation bar, select a region. On the Functions page, find the function that you want to manage and click Configure in the Actions column.

3. In the Function Details page of your function, click the Configurations tab. In the left-side navigation pane, click Permissions and then click Modify. In the Permissions panel, click Create Role to go to the Resource Access Management (RAM) console. Create a role as prompted and grant it permissions based on your business requirements.

   If you already have a usable role, you can directly use it. If the role does not have the required permissions, you can click Modify Policy to attach policies to the role. For more information, see Grant permissions to a RAM role.

   

   1. On the Roles page of the RAM console, click Create Role.

   2. In the Select Role Type step, select Alibaba Cloud Service as the trusted entity and click Next.

      

   3. In the Configure Role step, set Role Type to Normal Service Role, specify the RAM role name, set Select Trusted Service to Function Compute, and then click OK. In this example, the RAM role name is mytestrole.

      

   4. In the Finish step, click Add Permissions to RAM Role and click Grant Permission.

   5. In the Grant Permission panel, specify the Resource Scope and Principal parameters. The principal defaults to the selected role. Select the system and custom policies that you need, which will then be added to the Selected Policy section on the right side of the panel. Once you have made your selections, click Grant permissions. For more information, see Policies and sample policies. The following items describe the options for the Resource Scope parameter.

      • Account: The permissions are valid for all resources within the current Alibaba Cloud account.

      • ResourceGroup: The permissions are valid for a specific resource group. If you select ResourceGroup for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

      In this example, AliyunOSSFullAccess is attached to the created role to grant Function Compute permissions to access OSS.

      

4. Bind the new role mytestrole created in the previous step to the function.

   

5. Test whether the function can manage OSS resources after it assumes the mytestrole role.

   1. In the function list, click the function that you want to test. In the Function Details page, click the Code tab. Click the arrow next to Test Function, and then select Configure Test Parameters. The following code snippet shows the test parameters:

      {
         "endpoint": "http://oss-cn-hangzhou.aliyuncs.com",
         "bucket": "web****",
         "objectName": "myObj",
         "message": "your-message"
      }

      Replace the bucket value with the name of the bucket that you want the function to access. Take note that the bucket must reside in the same region as the function.

   2. On the Code tab, write code in the code editor and click Deploy.

      In this example, a built-in Python runtime is used. You can use the temporary key provided by Function Compute to access OSS.

      import json
      import oss2
      
      def handler(event, context):
          evt = json.loads(event)
          creds = context.credentials
          # Enter the temporary key, including the temporary token. 
          # The AccessKey ID and AccessKey secret of an Alibaba Cloud account can be used to access all API operations. Using these credentials to perform operations in Function Compute is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. 
          # We recommend that you avoid saving the AccessKey pair in your project code. If this sensitive information is leaked, the security of all resources in your account could be compromised. 
          # In this example, the AccessKey pair is obtained from the context. 
          auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
          bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket'])
          bucket.put_object(evt['objectName'], evt['message'])
          return 'success'

   3. Click Test Function. After the function is executed, log on to the OSS console and find the desired bucket. You can see that the content of the object is replaced with message in the test parameters.

   References

   • Function Compute 3.0 supports minimal authorization by using the service-linked role. For more information about the policy content of the service-linked role, see AliyunServiceRoleForFC.

   • For more information about how to configure a role for a function, see Create a function.