By associating an instance RAM role with your instance, you can use an STS temporary credential to access other cloud resources instead of a long-term AccessKey, which reduces the risk of credential leakage and improves security. This topic describes how to obtain an STS temporary credential by using an instance RAM role.
Background information
An instance RAM role is a RAM role whose trusted entity is an Alibaba Cloud service. This enables the cloud service to assume the role for secure cross-service access. For more information about RAM roles, see What is a RAM role?.
Using an instance RAM role to obtain a temporary access credential for authentication and access control offers a key benefit:
-
Enhanced security
You do not need to manage credentials in the instance. Using an STS temporary credential instead of a long-term AccessKey reduces the risk of credential leakage.
Limits
You can associate only one RAM role with an individual development environment instance.
Step 1: Configure the RAM role
Scenario 1: Associate the DataWorks default role
When you use Notebook or Python for development, you can access some cloud products without providing an AccessKey ID and AccessKey Secret.
The DataWorks default role grants permissions to access only MaxCompute, Hologres, EMR Serverless Spark, Realtime Compute for Apache Flink, and Platform for AI (PAI). When you use a temporary access credential issued from this role to access these services, you have the same permissions as the owner of the individual development environment.
Associating the DataWorks default role with your instance provides a temporary access credential that provides access to basic development resources without privilege escalation, eliminating the need to create a custom RAM role.
After you associate the DataWorks default role, you do not need to configure an AccessKey in the following scenarios:
-
Access MaxCompute, Hologres, EMR Serverless Spark, Realtime Compute for Apache Flink, or Platform for AI (PAI) by using a Notebook SQL cell.
-
Submit tasks to a MaxCompute project where the instance owner has execution permissions by using the ODPS SDK.
In the Advanced Information section, find the Instance RAM role setting and select DataWorks default role.
Scenario 2: Do not associate a RAM role
If your instance is publicly visible in the workspace, do not associate a RAM role with it to prevent permission leakage. When you create or modify an instance, set the Instance RAM role option in the Advanced Information section to Do not associate role.
If no RAM role is associated, you can access cloud products by configuring the AccessKey ID and AccessKey Secret in your code.
Step 2: Obtain a temporary access credential
After associating a RAM role with an individual development environment instance, you can obtain a temporary access credential in one of the following ways.
Method 1: Use the Credentials tool
The Credentials tool calls a local service that is automatically injected into the instance at creation. This service fetches an STS temporary credential and automatically rotates it.
To obtain the instance RAM role's credential by using the Credentials tool, run the following command to install the tool. The following example uses Python.
pip install alibabacloud_credentialsThe following code shows an example of how to use the Credentials tool. For SDK examples in other languages, see Best practices for using an access credential to call API operations.
from alibabacloud_credentials.client import Client as CredClient
from alibabacloud_credentials.models import Config as CredConfig
credentialsConfig = CredConfig(
type='credentials_uri' # Optional. If you have not configured other providers in the default credential chain, you do not need to explicitly specify this parameter. The Credentials SDK automatically obtains a temporary credential by using the URI.
)
credentialsClient = CredClient(CredConfig)
Method 2: Query the local service endpoint
From the terminal within your individual development environment instance, you can run the following command to directly query the injected local service and obtain credentials.
# Obtain the temporary access credential for the instance RAM role.
curl $ALIBABA_CLOUD_CREDENTIALS_URIThe following code shows a sample response. The parameters are described as follows:
-
SecurityToken: The temporary token of the instance RAM role. -
Expiration: The expiration time of the temporary access credential.
{
"Code": "Success",
"AccessKeyId": "************",
"AccessKeySecret": "************",
"SecurityToken": "DFE32G*******",
"Expiration": "2024-05-21T10:39:29Z"
}Method 3: Read the local credentials file
You can access a file at a specific path within the individual development environment instance to obtain the temporary access credential of the instance RAM role. The file is located at /mnt/.alibabacloud/credentials and contains the following content:
{
"AccessKeyId": "*********",
"AccessKeySecret": "***************",
"SecurityToken": "DFE32G*******",
"Expiration": "2024-05-21T10:39:29Z"
}Step 3: Access MaxCompute
-
Run the following commands to install the Credentials tool and the ODPS SDK.
# Install the Credentials tool. pip install alibabacloud_credentials # Install the ODPS SDK. pip install odps -
Use the temporary credential from the instance RAM role to access ODPS and retrieve the list of tables in a specified project.
from alibabacloud_credentials import providers from odps.accounts import CredentialProviderAccount from odps import ODPS if __name__ == '__main__': account = CredentialProviderAccount(providers.DefaultCredentialsProvider()) o = ODPS( account=account, project="{odps_project}", # Replace with your project name. endpoint="{odps_endpoint}"# Replace with the endpoint of the region where your project is located. ) for t in o.list_tables(): print(t)