This topic describes content related to execution roles, including how to create a permission policy and an execution role.

Background information

When you use Serverless workflow to create an application, you must create an execution role and grant it related permissions. When Serverless workflow executes a flow, it assumes this role and accesses cloud services on your behalf, such as executing functions, sending messages, and executing flows.

You can use the Serverless workflow console to create an execution role and grant it system permissions. To control access permissions at a finer granularity, for example, to allow flows to access only one or several functions in Function Compute, see the following introduction.

Serverless workflow uses Resource Access Management (RAM) to implement role-based permission management. The following content describes the basic idea of authorization: A policy indicates the capability to access a service. After the policy is bound to a role, this role can access the service. When a third party needs to access this service, it only needs to assume the role that can access the service. This prevents long-term keys from being used and makes the system more secure.

Create permission policies

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Set Policy Name and Note. For example, set Policy Name to FnFExecutionRolePolicy.
  5. Select Script for Configuration Mode, and edit the policy. For more information, see Policy structure and syntax. The following table provides examples of common permissions.
Description Effect Action Resource
This policy allows access to the Func function of the Test1 service. Allow fc:InvokeFunction acs:fc:::services/Test1/functions/Func1
This policy allows access to all functions of the Test2 service. Allow fc:InvokeFunction acs:fc:::services/Test2/functions/*
This policy allows access to all functions of the services that start with Public. Allow fc:InvokeFunction acs:fc:::services/Public*/functions/*
This policy allows sending messages to the Test1 queue. Allow mns:SendMessage acs:mns:*:*:/queues/Test1/messages
This policy allows the execution of the Test1 flow. Allow fnf:StartExecution acs:fnf:::flows/Test1/executions/*

Create an execution role

  1. Log on to the RAM console.
  2. Choose RAM Roles > Create RAM Role, and set the following parameters:
    • Select Alibaba Cloud Service for Trusted Entity Service.
    • Select Function Flow for Selected Trusted Service.
    • Set RAM Role Name to FnFExecutionRole.
  3. Add the FnFExecutionRolePolicy policy to the created FnFExecutionRole role.
  4. Copy the Alibaba Cloud Resource Name (ARN) of the created role for use when a flow is created or updated.