Function Compute:Grant Function Compute permissions to access other Alibaba Cloud services

How it works

Function Compute obtains a Security Token Service (STS) token as the temporary key by using AssumeRole based on the role that is configured for a function. Then Function Compute passes the temporary key to the function by using the Credentials or credentials parameter in the context. This temporary key contains all resources for which you have configured permissions. You can use it in function code to access other Alibaba Cloud services.

The temporary key is valid for 36 hours and cannot be modified. The maximum duration to execute a function is 24 hours. Therefore, the temporary key is valid when the function is executed.

Example: Grant Function Compute the permissions to access Object Storage Service (OSS)

In this example, Function Compute is granted the permissions to manage OSS resources. If you want to grant a specific function to manage OSS resources, you can bind the corresponding role to the function.

Before you start

Create a function

Procedure

1. Log on to the Function Compute console. In the left-side navigation pane, click Function.

2. In the top navigation bar, select a region. On the Function page, find the function that you want to manage and click Configure in the Actions column.

3. Click the Configuration tab. In the left-side navigation tree, click Permissions. Then, click Modify next to Permissions. In the Permissions panel, click Create Role to go to the RAM console and create a role as prompted. Grant permissions to the role based on your business requirements.

   If you already have a usable role, you can directly use the role. If the role does not have the required permissions, you can click Modify Policy to attach policies to the role. For more information, see Grant permissions to a RAM role.

   

   1. On the Roles page of the RAM console, click Create Role.

   2. In the Select Role Type step, select Alibaba Cloud Service as the trusted entity and click Next.

      

   3. In the Configure Role step, set Role Type to Normal Service Role, specify the RAM role name, set Select Trust Service to Function Compute, and then click OK. In this example, mytestrole is used as the role name.

      

   4. In the Finish step, click Add Permissions to RAM Role and click Grant Permission.

   5. In the Grant Permission panel, specify the Authorized Scope and Principal parameters. The principal defaults to the selected role. Then, attach system policies or custom policies to the role. You can click policies based on your business requirements to add the policies to the Selected section on the right side of the panel. Then, click OK. For more information, see Policies and sample policies. The following items describe the options for the Authorized Scope parameter.

      • Alibaba Cloud Account: The authorization takes effect on all resources in the current Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect in a specific resource group. If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      In this example, AliyunOSSFullAccess is attached to the created role to grant Function Compute the permissions to access OSS.

      

4. Bind the new role mytestrole created in the previous step to the function.

   

5. Test whether the function has the permissions to manage OSS resources after it is bound the role mytestrole.

   1. In the function list, click the function that you want to test. Click the Code tab, click the arrow next to Test Function, and then select Configure Test Parameters. The following code snippet shows the test parameters:

      {
         "endpoint": "http://oss-cn-hangzhou.aliyuncs.com",
         "bucket": "web****",
         "objectName": "myObj",
         "message": "your-message"
      }

      Replace the bucket value with the name of the bucket that you want the function to access. Take note that the bucket must reside in the same region as the function.

   2. On the Code tab, write code in the code editor and click Deploy.

      In this example, the Python standard runtime is used. You can use the temporary key provided by Function Compute to access OSS.

      import json
      import oss2
      
      def handler(event, context):
          evt = json.loads(event)
          creds = context.credentials
          # Enter the temporary key, including the temporary token. 
          # The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine O&M. 
          # We recommend that you do not save the AccessKey pair in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources in your account may be compromised. 
          In this example, the AccessKey or AccessSecretKey is obtained from the context. 
          auth = oss2.StsAuth(creds.access_key_id, creds.access_key_secret, creds.security_token)
          bucket = oss2.Bucket(auth, evt['endpoint'], evt['bucket'])
          bucket.put_object(evt['objectName'], evt['message'])
          return 'success'

   3. Click Test Function. After the function is executed, log on to the OSS console and find the desired bucket. You can see that the content of the object is replaced with message in the test parameters.

   References

   • Function Compute 3.0 supports minimal authorization by using the service-linked role. For more information about the policy content of the service-linked role, see AliyunServiceRoleForFC.

   • For more information about how to configure a role for a function, see Create a function.