Function Compute:Use function roles to grant Function Compute access to other Alibaba Cloud services

Step 1: Create a role and grant permissions

1. Log on to the Resource Access Management (RAM) console. In the navigation pane on the left, choose Roles > Create Role.

2. On the Create Role page, set Trusted Entity Type to Alibaba Cloud Service and set Trusted Service to Function Compute/FC. Then, click OK.

3. In the Create Role dialog box, set Role Name to a value, such as mytestrole, and click OK. You are redirected to the role details page.

4. On the Permission Management tab, click Add Permissions. In the Add Permissions panel that appears, grant the required permissions to the role.

   Select the Resource Scope. The Principal is the target role by default. In the policy list, select the check box next to the system policy or custom policy that you want to attach. The policy is automatically added to the Selected list on the right. Then, click OK. For more information, see Access policies and examples.

   • Account Level: The permissions take effect within the current Alibaba Cloud account.

   • Resource Group Level: The permissions take effect within the specified resource group. Permissions can be granted on a resource group only if the Alibaba Cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.

   In this example, because the goal is to manage OSS, you must add the AliyunOSSFullAccess system policy to the role.

   

Step 2: Attach the role to the destination function

1. Log on to the Function Compute console. In the navigation pane on the left, click Functions.

2. In the top navigation bar, select a region. On the Functions page, find the function and click Configure in the Actions column.

3. On the function details page, click the Configuration tab. In the Advanced Configuration section, click Edit. In the Advanced Configuration panel, expand Permissions. From the Function Role drop-down list, select mytestrole, which is the role that you created in Step 1. Then, click Deploy.

Step 3: Test the function

Test the function to verify that the attached mytestrole role grants it the necessary permissions to manage OSS.

1. On the Functions page, click the name of the function. On the function details page, click the Code tab. Click the arrow next to Test Function and select Configure Test Parameters.

   {
      "endpoint": "http://oss-cn-hangzhou.aliyuncs.com",
      "bucket": "web****",
      "objectName": "myObj",
      "message": "your-message"
   }

   In the preceding code, replace bucket with the name of your bucket. The bucket must be in the same region as the function.

2. On the Code tab, enter your code in the editor and click Deploy Code.

   The following example shows how to use the built-in Python runtime. You can use the temporary token provided by Function Compute to access OSS.

   import json
   import oss2
   
   def handler(event, context):
       evt = json.loads(event)
       creds = context.credentials
       # The temporary credentials, including the temporary token.
       # An AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Use a RAM user to make API calls or perform routine O&M.
       # Do not hard-code the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked, which compromises the security of all resources in your account.
       # This example shows how to obtain the AccessKey ID and AccessKey secret from the context.
       auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
       bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket'])
       bucket.put_object(evt['objectName'], evt['message'])
       return 'success'

3. Click Test Function. After the function is executed, log on to the OSS console and navigate to the specified bucket. Verify that the content of the object is replaced with the value of the message parameter from the test parameters.