Configure access credentials for Tablestore SDK for Python - Tablestore

To use Tablestore SDK for Python to initiate a request to access Tablestore, you must configure access credentials. Alibaba Cloud services use access credentials to verify identity information and access permissions. You can configure different types of access credentials based on the requirements for authentication and authorization in your business scenarios.

Prerequisites

Tablestore SDK for Python is installed. For more information, see Install Tablestore SDK for Python.

Access credentials

Access credential types

Temporary access credentials: We recommend that you use temporary access credentials in scenarios that require high security. Temporary access credentials are valid only within a specific period of time, which helps prevent credential leaks. Temporary access credentials support fine-grained access control, which prevents security risks caused by excessive permissions.
Long-term access credentials: To ensure security, we recommend that you do not use long-term access credentials. In scenarios where convenience is essential, long-term access credentials eliminate the need for multiple refreshes within a long period of time.
Important
- We recommend that you change your long-term access credentials every three months to ensure account security.
- If long-term access credentials are leaked or no longer used, you must delete or disable the long-term access credentials at the earliest opportunity to reduce security risks.

Configure temporary access credentials

If you want to use Tablestore SDK for Python to temporarily access Tablestore, you can select one of the following methods to configure temporary access credentials.

Use STS

If you want to access Tablestore only within a specific period of time, you can use Security Token Service (STS) to generate temporary access credentials. When you use temporary access credentials, you do not need to disclose the AccessKey pair of your Resource Access Management (RAM) user. This ensures secure access to Tablestore.

Create a RAM user. For more information, see Create a RAM user.
Attach the AliyunSTSAssumeRoleAccess policy to the RAM user. For more information, see Grant the RAM user the AssumeRole permission.
Create a RAM role and attach custom policies to the RAM role. For more information, see Create a RAM role and Grant the RAM role the permissions to access Tablestore.
Assume the RAM role as the RAM user to obtain temporary access credentials from STS. For more information, see Assume the RAM role as the RAM user to obtain temporary access credentials from STS.

Configure environment variables for the temporary access credentials.

Environment variables

Configure environment variables for temporary access credentials.

Mac OS X/Linux/Unix

# Specify the temporary AccessKey ID obtained from STS.
export TABLESTORE_ACCESS_KEY_ID=your_sts_access_key_id
# Specify the temporary AccessKey secret obtained from STS.
export TABLESTORE_ACCESS_KEY_SECRET=your_sts_access_key_secret
# Specify the security token obtained from STS.
export TABLESTORE_SESSION_TOKEN=your_sts_token

Windows

Run the command prompt as an administrator and run the following commands:

# Specify the temporary AccessKey ID obtained from STS.
setx TABLESTORE_ACCESS_KEY_ID your_sts_access_key_id /m
# Specify the temporary AccessKey secret obtained from STS.
setx TABLESTORE_ACCESS_KEY_SECRET your_sts_access_key_secret /m
# Specify the security token obtained from STS.
setx TABLESTORE_SESSION_TOKEN your_sts_token /m

Note

After you specify the environment variables, you may need to restart the relevant services or development tools such as Integrated Development Environment (IDE) to ensure that the new settings are applied as expected.

Specify environment variables to pass temporary access credentials.

# -*- coding: utf-8 -*-
import os

access_key_id = os.getenv("TABLESTORE_ACCESS_KEY_ID")
access_key_secret = os.getenv("TABLESTORE_ACCESS_KEY_SECRET")
sts_token = os.getenv("TABLESTORE_SESSION_TOKEN")

Static credentials

You can define access credentials by using variables in your code. During the code execution, these variables are populated with actual credential values obtained from environment variables, configuration files, or other external data sources.

The following procedure describes how to use a configuration file to pass credentials.

Create a configuration file named config.ini.

[configName]
TABLESTORE_ACCESS_KEY_ID = your_sts_access_key_id
TABLESTORE_ACCESS_KEY_SECRET = your_sts_access_key_secret
TABLESTORE_SESSION_TOKEN = your_sts_token

Use the configuration file to pass credentials.

# -*- coding: utf-8 -*-
import configparser

# Read the configuration file.
config = configparser.ConfigParser()
# For example, the config.ini configuration file is stored in the same directory as the script.
config.read('config.ini')

# Obtain the AccessKey ID and AccessKey secret from the configuration file.
access_key_id = config.get('configName', 'TABLESTORE_ACCESS_KEY_ID')
access_key_secret = config.get('configName', 'TABLESTORE_ACCESS_KEY_SECRET')
security_token = config.get('configName', 'TABLESTORE_SESSION_TOKEN')

Use the Credentials parameter in the context of Function Compute

If the function of your application is deployed and run in Function Compute, you can obtain temporary access credentials by using the Credentials parameter in the context of Function Compute.

The underlying logic of this method is to use an STS token to configure access credentials. Function Compute obtains an STS token by assuming a service role based on the role configured for the function. Then, the STS token is passed to your application by using the Credentials parameter in the context of Function Compute. The STS token is valid for 36 hours. You cannot change its validity period. The maximum execution time of a function is 24 hours. Therefore, you do not need to refresh the STS token because it does not expire when the function is executed. This method does not require an AccessKey pair or STS token, eliminating the risks associated with manually managing these credentials. For information about how to grant Function Compute the permissions to access Tablestore, see Grant Function Compute permissions to access other Alibaba Cloud services.

Use the Credentials parameter in the context of Function Compute to obtain temporary access credentials.

# -*- coding: utf-8 -*-

def handler(event, context):
    # Obtain the key information. Before you execute the function, make sure that a role is configured for the service to which the function belongs and that the role is granted the permissions to access Tablestore. We recommend that you use the AliyunFCDefaultRole role.
    creds = context.credentials

    access_key_id = creds.access_key_id
    access_key_secret = creds.access_key_secret
    security_token = creds.security_token

    # Perform the subsequent operations.

    return 'success'

Configure long-term access credentials

If your application is deployed in a secure and stable environment that is not vulnerable to external attacks and requires long-term access to Tablestore by using Tablestore SDK for Python, you can use an AccessKey pair of your Alibaba Cloud account or a RAM user. For information about how to obtain an AccessKey pair, see Use the AccessKey pair of a RAM user to access Tablestore.

Warning

An Alibaba Cloud account has full permissions on resources within the account. Leaks of the Alibaba Cloud account AccessKey pair pose critical security threats. Therefore, we recommend that you use the AccessKey pair of a RAM user that is granted permissions based on the principle of least privilege.

Environment variables

Use the AccessKey pair to specify environment variables.

Mac OS X/Linux/Unix

# Specify the AccessKey ID.
export TABLESTORE_ACCESS_KEY_ID=your_access_key_id
# Specify the AccessKey secret.
export TABLESTORE_ACCESS_KEY_SECRET=your_access_key_secret

Windows

Run the command prompt as an administrator and run the following commands:

# Specify the AccessKey ID.
setx TABLESTORE_ACCESS_KEY_ID your_access_key_id /m
# Specify the AccessKey secret.
setx TABLESTORE_ACCESS_KEY_SECRET your_access_key_secret /m

Note

After you specify the environment variables, you may need to restart the relevant services or development tools such as IDE to ensure that the new settings are applied as expected.

Use environment variables to pass credentials.

# -*- coding: utf-8 -*-
import os

access_key_id = os.getenv("TABLESTORE_ACCESS_KEY_ID")
access_key_secret = os.getenv("TABLESTORE_ACCESS_KEY_SECRET")

Static credentials

The following procedure describes how to use a configuration file to pass credentials.

Create a configuration file named config.ini.

[configName]
TABLESTORE_ACCESS_KEY_ID = your_access_key_id
TABLESTORE_ACCESS_KEY_SECRET = your_access_key_secret

Use the configuration file to pass credentials.

# -*- coding: utf-8 -*-
import configparser

# Read the configuration file.
config = configparser.ConfigParser()
# For example, the config.ini configuration file is stored in the same directory as the script.
config.read('config.ini')

# Obtain the AccessKey ID and AccessKey secret from the configuration file.
access_key_id = config.get('configName', 'TABLESTORE_ACCESS_KEY_ID')
access_key_secret = config.get('configName', 'TABLESTORE_ACCESS_KEY_SECRET')

What to do next

After the credential provider is initialized, you need to use the credential provider to create an OTSClient instance. For more information, see Initialize a Tablestore client.