All Products
Search
Document Center

Function Compute:Grant Function Compute permissions to access other Alibaba Cloud services

Last Updated:Feb 02, 2024

Function Compute must access other Alibaba Cloud services when functions run. For example, Function Compute delivers function logs to a Logstore in Simple Log Service, pulls images from Container Registry, and may need to access resources in a virtual private cloud (VPC). Therefore, you must grant services in Function Compute permissions to access other Alibaba Cloud services. The default role AliyunFCDefaultRole that is provided by Function Compute has coarse-grained permissions. If fine-grained permissions are required, you can bind a role that has required permissions to your services.

How it works

Function Compute obtains a Security Token Service (STS) token, which works as a temporary key. Then, the AssumeRole operation is called based on the role configured for the service to which a function belongs. Then, Function Compute passes the temporary key to the function by using the Credentials or credentials parameter in the context. The temporary key contains all resources for which your permissions are configured. You can use the key in function code for Function Compute to access other Alibaba Cloud services.

The temporary key is valid for 36 hours and cannot be modified. The maximum duration allowed to execute a function is 24 hours. Therefore, the temporary key is valid when the function is executed.

The location of the Credentials or credentials parameter varies in runtimes. You can refer to the following topics for references. When you use a custom runtime or a Custom Container runtime, the temporary key is injected into the header of an HTTP request.

AliyunFCDefaultRole

To streamline granting permissions, Function Compute provides a default system role named AliyunFCDefaultRole, which can be assumed to access specific Alibaba Cloud services from Function Compute. For more information about how to create the default role and bind the role, see Step 1: Activate Function Compute.

You can log on to the Resource Access Management console to view the permissions of AliyunFCDefaultRole.

image.png

Important

AliyunFCDefaultRole is the default role dedicated to Function Compute and can be bound to all Function Compute services. Do not attach other policies to the role. If the permissions provided by the default role cannot meet your business requirements, you must create other roles and attach policies to the roles. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

Example: Grant Function Compute the permissions to access OSS

This section describes how to grant permissions to Function Compute to access Object Storage Service (OSS). If you want to specify that all functions reside in a Function Compute service can manage OSS, you can bind a role to the service and attach the policy that defines the permissions to manage OSS to the role. Then, all functions in the service have the permissions to manage OSS.

Prerequisite

A service and a function are created. For more information, see Create a service and Create a function.

Procedure

  1. Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.

  2. In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.

  3. In the Role Settings section of the Modify Service page, click Create Role to go to the RAM console. Follow the on-screen instructions to create a role and grant the required permissions to the role.

    You can also bind an existing role to the service. If the permissions are insufficient, you can click Modify Policy to attach other policies to the role. For more information, see Grant permissions to a RAM role.

    image.png

    1. On the Roles page of the RAM console, click Create Role.

    2. In the Select Role Type step, select Alibaba Cloud Service as the trusted entity and click Next.

      image.png

    3. In the Configure Role step, set Role Type to Normal Service Role, specify the RAM role name, set Select Trust Service to Function Compute, and then click OK. In this section, mytestrole is used as the role name.

      image.png

    4. In the Finish step, click Add Permissions to RAM Role and click Grant Permission.

    5. On the Grant Permission page, specify the Authorized Scope and Principal parameters. The principal defaults to the selected role. Then, attach system policies or custom policies to the role. You can click the policy based on your business requirements to add the policies to the Selected section on the right side of the page. Then, click OK. For more information, see Policies and sample policies.

      • Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.

      • Specific Resource Group: The permissions take effect in a specific resource group. If you set Authorized Scope to Specific Resource Group, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      In this section, you must attach a system policy AliyunOSSFullAccess to the created role to grant Function Compute the permissions to access OSS.

      image.png

  4. Bind the new role mytestrole created in Step 3 to the service that you want to manage.

    image.png

  5. Check whether functions in the service bound to the role mytestrole have the permission to manage OSS.

    1. In the service list, find the target function in the service. On the Code tab, click the downward arrow next to the Test Function parameter and select Configure Test Parameters. The parameters in the following sample code are displayed.

      {
         "endpoint": "http://oss-cn-hangzhou.aliyuncs.com",
         "bucket": "web****",
         "objectName": "myObj",
         "message": "your-message"
      }
    2. On the Function Code tab, write code in the code editor and click Deploy.

      The standard Python runtime is used as an example. You can use the temporary key provided by Function Compute to access OSS.

      import json
      import oss2
      
      def handler(event, context):
          evt = json.loads(event)
          creds = context.credentials
          # Enter the temporary key, including the temporary token. 
          # The AccessKey pair (AccessKey ID or AccessKey secret) of an Alibaba Cloud account can be used to access all API operations. Using these credentials to perform operations in Function Compute is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. 
          # We recommend that you do not save the AccessKey pair in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources under your account may be compromised. 
          In this example, the AccessKey or AccessSecretKey is obtained from the context. 
          auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
          bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket'])
          bucket.put_object(evt['objectName'], evt['message'])
          return 'success'
    3. Click Test Function. After the function is executed, log on to the OSS console and find the bucket that you want to manage. You can find that the content of the target object is replaced with the message content.