This topic describes how to grant a Resource Access Management (RAM) user access to Serverless workflow and how to configure user permission policies.

Background information

If you use the user name and password of an Alibaba Cloud account to log on to the Serverless Workflow console, or use a RAM user that has been authorized with AdministratorAccess to access the service, you can skip this topic and directly access the service. If you use a RAM user that has limited permissions, perform the following steps to configure permission policies.

Procedure

  1. Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy. Use the following JSON content as the policy content, and create a policy named FnFRAMUserPolicy.
        {
          "Version": "1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "ram:PassRole",
              "Resource": "*"
            },
            {
              "Action": "fc:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": "fnf:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": "oss:*",
              "Resource": "acs:oss:*:*:fun-gen-*",
              "Effect": "Allow"
            },
            {
              "Action": "ros:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Effect": "Allow",
              "Action": "ram:CreateRole",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:GetPolicy",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:CreatePolicy",
              "Resource": "acs:ram:*:*:policy/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:DeletePolicy",
              "Resource": [
                "acs:ram:*:*:policy/fnf-sample*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:AttachPolicyToRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*",
                "acs:ram:*:*:role/fnf-execution-default-role*",
                "acs:ram:*:*:policy/fnf-sample*",
                "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess",
                "acs:ram:*:system:policy/AliyunFCInvocationAccess",
                "acs:ram:*:system:policy/AliyunFnFFullAccess",
                "acs:ram:*:system:policy/AliyunMNSFullAccess"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:DetachPolicyFromRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*",
                "acs:ram:*:*:role/fnf-execution-default-role*",
                "acs:ram:*:*:policy/fnf-sample*",
                "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess",
                "acs:ram:*:system:policy/AliyunFCInvocationAccess",
                "acs:ram:*:system:policy/AliyunFnFFullAccess",
                "acs:ram:*:system:policy/AliyunMNSFullAccess"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:ListRoles",
              "Resource": "acs:ram:*:*:role/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:GetRole",
              "Resource": "acs:ram:*:*:role/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:DeleteRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:ListPoliciesForRole",
              "Resource": "acs:ram:*:*:role/*"
            }
          ]
        }
  2. In the RAM console, choose Identities > Users in the left-side navigation pane. Then, bind the policy created in the preceding step with the RAM user that will use Serverless Workflow.
    Note
    • The RAM user permissions mentioned in the preceding content apply to basic operations. If permissions are insufficient when you use application templates and sample projects that involve more cloud resources in the console, add the corresponding permissions to the RAM user.
    • To control the permission granularity, the sensitive RAM operations in the example, such as AttachPolicyToRole, can be performed only on the roles and policies prefixed with fnf-sample or fnf-execution-default-role. If you need to modify the sample project name or the default application center name, modify the preceding policy as needed.