This topic describes authorization policies of Serverless Workflow. You can use the Resource Access Management (RAM) service to grant permissions to the specified groups, group members, and RAM users. You can also perform cross-service access control in the RAM console.

Background

Note If you can access target resources without authorization, skip this section.
By default, you can call Serverless Workflow API operations to manage the resources in your Alibaba Cloud account or RAM user. Specific permissions are required in the following scenarios:
  • Your RAM user has no permissions to manage the resources in your Alibaba Cloud account.
  • You use other Alibaba Cloud services to access Serverless Workflow, or use Serverless Workflow to access other Alibaba Cloud services.
  • To manage Serveless Workflow resources with access control, the resource owner must grant the required permissions on the target resources and API operations.

When an account requests access to Serverless Workflow resources in your Alibaba Cloud account by calling Serverless Workflow API operations, Alibaba Cloud Serverless Workflow instructs RAM to perform a permission check to ensure that the required permissions have been granted to the account that sends the request. Different Serverless Workflow API operations determine which resource permissions need to be checked based on the resources involved and operation semantics. For more information about authorization policies and access control, see What is RAM? and API overview in the RAM documentation.

Custom policies

You can use the RAM console or call the CreatePolicy API operation of RAM to create a custom policy. If Script is selected as the policy configuration mode, you must specify the value of PolicyDocument based on the JSON template file. You must specify the values of Action and Resource parameters based on the authentication list in the following section. For more information, see Implement access control by using RAM and Policy elements.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:[ECS RAM Action]",
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "[ECS RAM Action Resource]",
                "acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
            ],
            "Effect": "Allow"
        }
    ]
}

API operations for authorization

The value of an Alibaba Cloud Resource Name (ARN) is used to configure a custom access policy. You can create a custom access policy and grant it to RAM users or cloud services by using RAM. For more information about the ARN format, see RAM documentation Terms. The following table lists the ARN values of Serverless Workflow API operations.

Action ARN value
ListFlows acs:fnf:${region-id}:${resource-owner-id}:flow/*
CreateFlow acs:fnf:${region-id}:${resource-owner-id}:flow/*
DescribeFlow acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}
UpdateFlow acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}
DeleteFlow acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}
StartExecution acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/*
ListExecutions acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/*
DescribeExecution acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/${execution-name}
StopExecution acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/${execution-name}
GetExecutionHistory acs:fnf:${region-id}:${resource-owner-id}:flow/${flow-name}/execution/${execution-name}