Python SDK configure access credentials - Tablestore - Alibaba Cloud Documentation Center

To initiate a request to access Tablestore using the Python SDK, you need to configure access credentials. Alibaba Cloud services use access credentials to verify your identity information and access permissions. You can configure different types of access credentials based on the requirements for authentication and authorization in your business scenarios.

Prerequisites

Before you can configure access credentials, you must first prepare to install the Tablestore Python SDK. For detailed instructions, see Install Python SDK.

Access credentials

Access credential types

Temporary access credentials: For scenarios that require high security, we recommend that you use temporary access credentials. Temporary access credentials are valid only within a specific period of time, which helps prevent credential leaks. Temporary access credentials also support fine-grained access control, which prevents security risks caused by excessive permissions.
Long-term access credentials: To ensure security, we recommend that you do not use long-term access credentials. For scenarios that require convenience, long-term access credentials eliminate the need for multiple refreshes within an extended period of time.
Important
- We recommend that you change your long-term access credentials every three months to ensure the security of your Alibaba Cloud account.
- If long-term access credentials are leaked or no longer used, you can delete or disable the long-term access credentials to reduce security risks.

Temporary access credentials

When preparing to temporarily access the Tablestore service using the Python SDK, you can choose the following methods to configure temporary access credentials.

Configure STS temporary access credentials

If you need to access Tablestore within a specified period of time, you can obtain an STS temporary access credential through the STS service. Temporary access credentials do not require revealing your RAM user key, making access to Tablestore more secure.

Create a RAM user. For detailed instructions, see Create a RAM user.
Grant the RAM user the AliyunSTSAssumeRoleAccess permission. For specific instructions, see how to grant permissions to a RAM user.
Create a RAM role and attach a custom policy to it. For specific instructions, see Create a RAM role and Attach a custom policy to a RAM role.
Utilize the RAM user to assume the RAM role and retrieve the STS temporary access credentials. For detailed instructions, see Obtain STS temporary access credentials.

Configure STS temporary access credentials.

Environment variables

Use temporary access credentials to specify environment variables.

Mac OS X/Linux/Unix

# Specify the temporary access credentials STS AccessKey ID
export TABLESTORE_ACCESS_KEY_ID=your_sts_access_key_id
# Specify the temporary access credentials STS AccessKey Secret
export TABLESTORE_ACCESS_KEY_SECRET=your_sts_access_key_secret
# Specify the temporary access credentials STS Token
export TABLESTORE_SESSION_TOKEN=your_sts_token

Windows

Run the Command Prompt as an administrator and execute the following commands.

# Specify the temporary access credentials STS AccessKey ID
setx TABLESTORE_ACCESS_KEY_ID your_sts_access_key_id /m
# Specify the temporary access credentials STS AccessKey Secret
setx TABLESTORE_ACCESS_KEY_SECRET your_sts_access_key_secret /m
# Specify the temporary access credentials STS Token
setx TABLESTORE_SESSION_TOKEN your_sts_token /m

Note

After configuring the environment variables, you may need to restart the relevant services or development tools such as Integrated Development Environment (IDE) to ensure that the new settings are applied as expected.

Pass credentials by using environment variables.

# -*- coding: utf-8 -*-
import os

access_key_id = os.getenv("TABLESTORE_ACCESS_KEY_ID")
access_key_secret = os.getenv("TABLESTORE_ACCESS_KEY_SECRET")
sts_token = os.getenv("TABLESTORE_SESSION_TOKEN")

Static credentials

You can define credentials by using variables in your code. During code execution, these variables are populated with actual credential values sourced from environment variables, configuration files, or other external locations.

The following procedure describes how to use a configuration file to provide credentials.

Create a configuration file config.ini.

[configName]
TABLESTORE_ACCESS_KEY_ID = your_sts_access_key_id
TABLESTORE_ACCESS_KEY_SECRET = your_sts_access_key_secret
TABLESTORE_SESSION_TOKEN = your_sts_token

Pass credential information by using the configuration file.

# -*- coding: utf-8 -*-
import configparser

# Read configuration files
config = configparser.ConfigParser()
# Assume config.ini is in the same directory as the script
config.read('config.ini')

# Obtain the Access Key ID and Access Key Secret from the configuration file
access_key_id = config.get('configName', 'TABLESTORE_ACCESS_KEY_ID')
access_key_secret = config.get('configName', 'TABLESTORE_ACCESS_KEY_SECRET')
security_token = config.get('configName', 'TABLESTORE_SESSION_TOKEN')

Use credentials in the Function Compute context

If your application's function is deployed and running in Function Compute, you can use credentials in the function compute context to obtain temporary access credentials.

This approach leverages an STS token to authorize Function Compute by assuming a server role specified for the function. The STS token, which remains valid for 36 hours, is then provided to your application via the credentials parameter in the context. Since the maximum execution time for a function is 24 hours, there is no need to refresh the security token during execution as it will not expire. This method mitigates the risks associated with manually managing an AccessKey pair or security token. For more information on how to grant Function Compute permissions to access Tablestore, see Grant Function Compute permissions to access other cloud services.

Use credentials in the function compute context to obtain temporary access credentials.

# -*- coding: utf-8 -*-

def handler(event, context):
    # Obtain key information. Before execution, ensure that the service to which the function belongs is configured with role information, and the role must have Tablestore permissions. It is recommended to directly use the AliyunFCDefaultRole role
    creds = context.credentials

    access_key_id = creds.access_key_id
    access_key_secret = creds.access_key_secret
    security_token = creds.security_token

    # Subsequent operations...

    return 'success'

Long-term access credentials

If you have deployed your application in a secure and stable environment that is well-protected against external attacks and you need long-term access to Tablestore using the Python SDK, you can use the AccessKey pair (Access Key ID and Access Key Secret) from an Alibaba Cloud account or RAM user. For more information on how to retrieve an AccessKey pair, see Access Tablestore with RAM user access keys.

Warning

An Alibaba Cloud account has full access to all resources of the account. Leaks of the Alibaba Cloud account AccessKey pair pose critical security threats. It is recommended to use the AccessKey pair of a RAM user that is granted permissions based on the principle of least privilege.