When you use specific features provided by Function Compute, such as logging, virtual private cloud (VPC) access, and asynchronous invocation, Function Compute needs to access other Alibaba Cloud services. For example, when you configure the logging feature for a function, you must grant Function Compute the permissions to write logs to the specified Logstore. Function Compute supports service-linked roles. After you configure a service-linked role, your function assumes the role to use these features, and you do not need to separately configure a role for the function. However, if your business logic needs to access other cloud services or you require more fine-grained access control, you can separately configure roles for functions.
How it works
Function Compute obtains a Security Token Service (STS) token as the temporary key by using AssumeRole based on the role that is configured for a function. Then Function Compute passes the temporary key to the function by using the Credentials or credentials parameter in the context. This temporary key contains all resources for which you have configured permissions. You can use it in function code to access other Alibaba Cloud services.
The temporary key is valid for 36 hours and cannot be modified. The maximum duration to execute a function is 24 hours. Therefore, the temporary key is valid when the function is executed.
The location of the Credentials or credentials parameter varies based on different runtimes. You can refer to the following topics. When you use a custom runtime or Custom Container runtime, the temporary key is injected into the header of an HTTP request.
Example: Grant Function Compute the permissions to access Object Storage Service (OSS)
In this example, Function Compute is granted the permissions to manage OSS resources. If you want to grant a specific function to manage OSS resources, you can bind the corresponding role to the function.
Before you start
Procedure
Log on to the Function Compute console. In the left-side navigation pane, click Function.
In the top navigation bar, select a region. On the Function page, find the function that you want to manage and click Configure in the Actions column.
Click the Configuration tab. In the left-side navigation tree, click Permissions. Then, click Modify next to Permissions. In the Permissions panel, click Create Role to go to the RAM console and create a role as prompted. Grant permissions to the role based on your business requirements.
If you already have a usable role, you can directly use the role. If the role does not have the required permissions, you can click Modify Policy to attach policies to the role. For more information, see Grant permissions to a RAM role.
On the Roles page of the RAM console, click Create Role.
In the Select Role Type step, select Alibaba Cloud Service as the trusted entity and click Next.
In the Configure Role step, set Role Type to Normal Service Role, specify the RAM role name, set Select Trust Service to Function Compute, and then click OK. In this example,
mytestrole
is used as the role name.In the Finish step, click Add Permissions to RAM Role and click Grant Permission.
In the Grant Permission panel, specify the Authorized Scope and Principal parameters. The principal defaults to the selected role. Then, attach system policies or custom policies to the role. You can click policies based on your business requirements to add the policies to the Selected section on the right side of the panel. Then, click OK. For more information, see Policies and sample policies. The following items describe the options for the Authorized Scope parameter.
Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect in a specific resource group. If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.
In this example, AliyunOSSFullAccess is attached to the created role to grant Function Compute the permissions to access OSS.
Bind the new role
mytestrole
created in the previous step to the function.Test whether the function has the permissions to manage OSS resources after it is bound the role
mytestrole
.In the function list, click the function that you want to test. Click the Code tab, click the arrow next to Test Function, and then select Configure Test Parameters. The following code snippet shows the test parameters:
{ "endpoint": "http://oss-cn-hangzhou.aliyuncs.com", "bucket": "web****", "objectName": "myObj", "message": "your-message" }
Replace the
bucket
value with the name of the bucket that you want the function to access. Take note that the bucket must reside in the same region as the function.On the Code tab, write code in the code editor and click Deploy.
In this example, the Python standard runtime is used. You can use the temporary key provided by Function Compute to access OSS.
import json import oss2 def handler(event, context): evt = json.loads(event) creds = context.credentials # Enter the temporary key, including the temporary token. # The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine O&M. # We recommend that you do not save the AccessKey pair in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources in your account may be compromised. In this example, the AccessKey or AccessSecretKey is obtained from the context. auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token) bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket']) bucket.put_object(evt['objectName'], evt['message']) return 'success'
Click Test Function. After the function is executed, log on to the OSS console and find the desired bucket. You can see that the content of the object is replaced with
message
in the test parameters.
References
Function Compute 3.0 supports minimal authorization by using the service-linked role. For more information about the policy content of the service-linked role, see AliyunServiceRoleForFC.
For more information about how to configure a role for a function, see Create a function.