All Products
Search

This Product

    Tablestore:Use AccessKey pairs of RAM users to initiate requests

    Document Center

    Tablestore:Use AccessKey pairs of RAM users to initiate requests

    Last Updated:Sep 19, 2024

    You can grant specific permissions to a RAM user and use the AccessKey pair of the RAM user to access specific Tablestore resources for a long period of time. Compared with using the AccessKey pair of an Alibaba Cloud account to access Tablestore resources, using the AccessKey pair of a RAM user is more secure.

    Step 1: Create a RAM user

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select OpenAPI Access and click ok.

    6. Follow the on-screen instructions to complete security verification.

    7. Click Copy to save the AccessKey pair of the RAM user.

      Important

      You can obtain the AccessKey secret of a RAM user only when you create the RAM user. You cannot query the AccessKey secret in subsequent operations. Record and keep your AccessKey secret confidential.

    Step 2: Grant the RAM user the read-only permissions on Tablestore

    Use a system policy

    Attach the AliyunOTSReadOnlyAccess policy to the RAM user. For more information, see Grant permissions to a RAM user.

    Note

    • To authorize the RAM user to manage Tablestore, such as creating an instance, attach the AliyunOTSFullAccess policy to the RAM user.

    • To grant read-only access to Tablestore, such as reading data from a table, attach the AliyunOTSReadOnlyAccess policy to the RAM user.

    • To grant write-only access to Tablestore, such as creating a data table, attach the AliyunOTSWriteOnlyAccess policy to the RAM user.

    Use a custom policy

    1. Create a custom policy.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Policy page, click JSON. Enter the following script in the code editor to specify the permissions to read data from the ram-test-app instance:

        Warning

        The following example is provided for reference only. You must configure fine-grained RAM policies based on your requirements to avoid granting excessive permissions to users. For information about how to configure fine-grained RAM policies, see Create a custom policy. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ots:BatchGet*",
        "ots:Describe*",
        "ots:Get*",
        "ots:List*",
        "ots:Consume*",
        "ots:Search",
        "ots:ComputeSplitPointsBySize"
      ],
      "Resource": [
        "acs:ots:*:*:instance/ram-test-app*"
      ],
      "Condition": {}
    }
  ]
}

      4. Click Next to edit policy information.

      5. In the Basic information section, set Name to RamTestPolicy and click OK.

    2. Attach the custom policy to the RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. On the Users page, find the RAM user to which you want to attach the custom policy.

      3. On the Users page, click Add Permissions in the Actions column of the RAM user.

      4. In the Add Permissions panel, select Custom Policy from the drop-down list in the Policy section and then select the RamTestPolicy policy.

      5. Click Grant permissions.

    Step 3: Use the AccessKey pair of the RAM user to query the names of tables in a Tablestore instance

    The following sample code in Java provides an example on how to query the names of tables in a Tablestore instance:

    import com.alicloud.openservices.tablestore.SyncClient;
import com.alicloud.openservices.tablestore.core.ResourceManager;
import com.alicloud.openservices.tablestore.core.auth.CredentialsProviderFactory;
import com.alicloud.openservices.tablestore.core.auth.EnvironmentVariableCredentialsProvider;
import com.alicloud.openservices.tablestore.model.ListTableResponse;

public class RamAccessKeySample {
    public static void main(String[] args) {
        // Specify the name of the Tablestore instance. 
        String instanceName = "yourInstance";
        // Specify the endpoint of the Tablestore instance. Example: https://yourInstance.cn-hangzhou.ots.aliyuncs.com. 
        String endPoint = "yourEndpoint";

        // We recommend that you do not save access credentials in the project code. Otherwise, access credentials may be leaked. As a result, the security of all resources in your account is compromised. 
        // In this example, the access credentials are obtained from environment variables. Before you run the sample code, make sure that the TABLESTORE_ACCESS_KEY_ID and TABLESTORE_ACCESS_KEY_SECRET environment variables are configured. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();

        // Create an OTSClient instance.
        SyncClient client = new SyncClient(endPoint, credentialsProvider, instanceName, null, new ResourceManager(null, null));

        // Query the names of tables.
        ListTableResponse listTableResponse = client.listTable();
        listTableResponse.getTableNames().forEach(System.out::println);

        // Shut down the OTSClient instance.
        client.shutdown();
    }
}