If Function Compute needs to access other Alibaba Cloud services, such as Object Storage Service (OSS), Log Service, Tablestore, and Message Service (MNS), you must grant required permissions to Function Compute. Such permissions are granted to a corresponding service. After a service is granted specific permissions, all functions in the service have the permissions. This topic describes a sample scenario. This topic also describes how to grant Function Compute permissions to manage OSS.

Prerequisites

Create a service

Sample scenario

When a function is executed, Function Compute needs to access other Alibaba Cloud services. For example, Function Compute needs to write function execution logs to the specified Logstore in Log Service, pull images from Container Registry, or connect virtual private clouds for data access. To simplify authorization, Function Compute provides the AliyunFCDefaultRole role. The permissions of this role include permissions to access required Alibaba Cloud resources. For more information about how to assign this role, see Activate Function Compute. The following policy is attached to this role:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cr:GetRepository",
        "cr:GetRepositoryTag",
        "cr:GetAuthorizationToken",
        "cr:PullRepository"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "fc:InvokeFunction",
        "mns:SendMessage",
        "mns:PublishMessage",
        "eventbridge:PutEvents",
        "mq:PUB",
        "mq:OnsInstanceBaseInfo"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

The permissions of the AliyunFCDefaultRole role are coarse-grained. You can also assign other RAM roles or attach related policies to services in Function Compute to grant fine-grained permissions.

For example, you want all functions in a service in Function Compute to have the permissions to manage OSS, but the AliyunFCDefaultRole role does not have the permissions. In this case, you must assign a RAM role to the service and attach the policy that is used to grant the permissions to manage OSS to the RAM role when you configure permissions for the service. Then, all functions in the service have the permissions to manage OSS. For more information, see Procedure.
Notice The AliyunFCDefaultRole role is assigned to all services. If you want to attach other policies after the AliyunFCDefaultRole role is assigned, we recommend that you create a RAM role and attach the policies to the RAM role rather than attach the policies to the AliyunFCDefaultRole role.

Procedure

  1. Log on to the Function Compute console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Services and Functions.
  4. On the Services and Functions page, click the service that you require. Then, click the Service Configurations tab. On the Service Configurations tab, click Modify Configuration.
    Modify service configurations
  5. In the Role Config section, set the parameters and click Submit.
    • Create a RAM role
      1. Click Create Role to go to the Role Templates page. create-role
      2. On the Role Templates page, set the Role Name and Role Description parameters, and click Confirm Authorization Policy to go to the Configure Service page in the Function Compute console. hanshujsiuanshouqaanguanli
      3. Attach a policy to the RAM role.
        • Attach a new policy
          1. Log on to the Resource Access Management (RAM) console.
          2. Create a policy.
            1. In the left-side navigation pane, click Policies.
            2. On the Policies page, click Create Policy.
            3. On the Create Custom Policy page, set the parameters. For more information, see Policies and sample custom policies.
              The following part describes the parameters:
              • Policy Name: Enter a custom policy name.
              • Configuration Mode: Select Script. In this example, the following policy is used:
                {
                    "Statement": [
                        {
                            "Action": "oss:*",
                            "Effect": "Allow",
                            "Resource": "*"
                        }
                    ],
                    "Version": "1"
                }
            4. Click OK.
          3. In the left-side navigation pane, click RAM Roles.
          4. On the RAM Roles page, enter the name or note of the RAM role in the Enter a role name or note field.
          5. Click the name of the RAM role or find the RAM role and click Add Permissions in the Actions column.
          6. On the Permissions tab, click Add Permissions.
          7. In the Add Permissions panel, click the Custom Policy tab. In the Enter a policy name field, enter the name of the policy.
          8. Click the name of the policy and then OK. Then, click Complete.
        • Attach an existing policy
          1. In the Role Config section, click + Add Policy.
          2. In the Add Policy dialog box, select the policy such as AliyunOSSFullAccess that you want to attach to the RAM role from the Select Policy Template drop-down list. Then, click RAM Authorization to go to the Role Templates page.
          3. On the Role Templates page, click Confirm Authorization Policy.
          4. Click Submit.
    • Assign an existing RAM role
      1. In the Role Config section, select the RAM role that you want to assign from the Select Role drop-down list. imagefueupeizhi.png
      2. Check whether the RAM role has the permissions to manage OSS.
        • If the RAM role has the permissions, click Submit.
        • If the RAM role does not have the permissions, you must attach the corresponding policy by performing the following steps:
          1. In the Policy Details section, click + Add Policy.
          2. In the Add Policy dialog box, select the policy such as AliyunOSSFullAccess that you want to attach to the RAM role from the Select Policy Template drop-down list.
          3. Click RAM Authorization.
          4. On the Role Templates page, click Confirm Authorization Policy.
          5. On the Configure Service page in the Function Compute console, click Submit.
          Note If the policies that you created do not include the policy that is used to grant the permissions to manage OSS, you must create this policy and attach it to the RAM role. For more information, see Attach a new policy.