Function service supports classifying service resources with the same effect by tags to facilitate search and resource aggregation. You can also use the tag feature to group services. You can implement different roles that have different operation permissions on services in different groups. This topic describes the instructions, limits, and how to manipulate tags in the Function Compute console.

Instructions for Use

  • Tags and service resources are in an N-to-N relationship.
  • Each tag consists of a key-value pair.
  • A tag serves as a condition to implement fine-grained authorization on resources within a specified scope.
  • The resources under the service, versions, aliases, functions, and triggers all inherit the tags of the service.
    • Tag authentication is supported as long as the service is entered on the API call.
    • Different versions of a service use the same tag. Therefore, a change to the tag of a service affects tag-based authorization that involve all versions and aliases of the service.

Limits

  • Each tag key must be 1 to 64 case-sensitive Unicode characters in length.
  • Each tag value must be 1 to 128 case-sensitive Unicode characters in length.
  • Each tag key on a resource can have only one value. If you add a tag that has the same key as an existing tag on a resource, the new value overwrites the original value.
  • Each resource can have a maximum of 20 tags.
  • Key cannot start with a aliyun or acs:, cannot contain http:// and https://, and cannot be an empty string.
  • Value cannot contain http:// and https://, and cannot be an empty string.
  • Tags cannot be used across regions. For example, tags created in the China (Hangzhou) region are invisible in the China (Shanghai) region.

Create tags

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, click Services and Functions.
  3. In the top navigation bar, select the region where the service resides.
  4. On the Services page, click the target service.
  5. In the left-side navigation pane, click Service Details.
  6. In the Basic Information section, move the pointer over the The tags of the application. icon next to Tags, and then click Add in the dialog box that appears.
    add-tag
  7. In the Edit service tag panel, set Tag Key and Tag Value, and then click OK.
    To create multiple tags for the service, repeat this step and enter multiple key-value pairs. key-value
    After you create a tag, move the pointer over the The tags of the application. icon on the Service Details page again. You can see the tag you just created. tag-result

Update tags

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, click Services and Functions.
  3. In the top navigation bar, select the region where the service resides.
  4. On the Services page, click the target service.
  5. In the left-side navigation pane, click Service Details.
  6. In the Basic Information section, move the pointer over the The tags of the application. icon next to Tags, and then click Edit in the dialog box that appears.
    edit-tag
  7. In the Edit Service Tags panel, enter a new Tag Key and a Tag Value or modify a Tag Value of an existing Tag Key, and then click OK.
    add-new-tag

Remove a tag

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, click Services and Functions.
  3. In the top navigation bar, select the region where the service resides.
  4. On the Services page, click the target service.
  5. In the left-side navigation pane, click Service Details.
  6. In the Basic Information section, move the pointer over the The tags of the application. icon next to Tags, and then click Edit in the dialog box that appears.
    delete-tag
  7. In the Edit Service Tags panel, find the target Tag Key and Tag Value, click the Delete icondelete, and then click OK.

Use tags to perform group-based service authorization

Assume that you have created 10 Function Compute services. You need to authorize five services to the dev team and another five to the ops team. You want each team to view only authorized services. Unauthorized services are not allowed to view. In this case, you can use the tag feature to group teams and then grant different permissions to teams in different groups. You must add a pair of tags to five of these services. The tag key is team and the tag value is dev. The other five services must add another pair of tags. The tag key is team and the tag value is ops.

  1. Attach the team:dev tag to the five services that you want to authorize the dev team to manage, and attach the team:ops tag to the five services that you want to authorize the ops team to manage. For more information, see Create tags.
  2. The kubectl client is connected to the ACK cluster. For more information, see Create a RAM user.
  3. The kubectl client is connected to the ACK cluster. For more information, see Create a user group.
    Create two user groups named dev and ops.
  4. The kubectl client is connected to the ACK cluster. For more information, see Add a RAM user to a RAM user group.
    Add RAM users in different teams to different user groups.
  5. Grant different permissions to the two user groups.
    Function Compute supports system policies and custom policies. You can select an appropriate policy as needed.
    • Grant permissions to different user groups by using system policies.

      For more information, see Grant permissions to a RAM user group.

    • Grant permissions to different user groups by using custom policies.
      1. Create a custom policy.
        For example, you can create a custom policy named policyForDevTeam that is used to grant permissions to the dev team. The following sample code shows the policy:
        {
            "Statement": [
                {
                    "Action": "fc:*",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Condition": {
                        "StringEquals": {
                            "fc:tag/team": "dev"
                        }
                    }
                },
                {
                    "Action": "fc:ListServices",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": "fc:GetResourceTags",
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "1"
        }         
        Then, you can create a custom policy named policyForOpsTeam that is used to grant permissions to the ops team. The following sample code shows the policy:
        {
            "Statement": [
                {
                    "Action": "fc:*",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Condition": {
                        "StringEquals": {
                            "fc:tag/team": "ops"
                        }
                    }
                },
                {
                    "Action": "fc:ListServices",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": "fc:GetResourceTags",
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "1"
        }          
      2. The kubectl client is connected to the ACK cluster. For more information, see Grant permissions to a RAM user group.

        Select the created custom policies when you grant permissions to the two user groups.

    After the authorization is complete, the RAM users in the dev user group can manage only the services tagged with team:dev and the RAM users in the ops user group can manage only the services tagged with team:ops.