Alibaba Cloud provides Resource Access Management (RAM) for you to manage permissions for Function Compute. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the policies for Function Compute, including system policies and custom policies. This topic also provides sample custom policies.

Policy types

In RAM, a policy is a set of permissions that are described based on the policy syntax and structure. A policy accurately describes the authorized resource set, action set, and authorization conditions. The policies for Function Compute include the following types:
  • System policies: policies that are created by Alibaba Cloud. You can use these policies, but cannot modify them. Alibaba Cloud maintains the version updates of the policies.
  • Custom policies: policies that you can create, update, and delete. You maintain the version updates of these policies.

System policies

The following system policies for Function Compute are provided:

  • AliyunFCReadOnlyAccess: the read-only permissions on all Function Compute resources.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:Get*",
                    "fc:List*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • AliyunFCInvocationAccess: the permissions to invoke all functions.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:InvokeFunction"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • AliyunFCFullAccess: the permissions to manage all Function Compute resources.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:*",
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

Custom policies

In addition to the system policies, Function Compute supports custom policies that allow you to grant fine-grained permissions to RAM users. For more information about the elements of a policy, see Policy elements.

Resource Action Description
acs:fc:<region>:<account-id>:services/<serviceName> fc:GetService The specified service.
fc:UpdateService
fc:DeleteService
acs:fc:<region>:<account-id>:services/* fc:CreateService All services.
fc:ListServices
acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier> fc:GetService The service of a specified version.
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName> fc:GetFunction The specified function in a specified service.
fc:UpdateFunction
fc:DeleteFunction
fc:InvokeFunction
acs:fc:<region>:<account-id>:services/<serviceName>/functions/* fc:CreateFunction All functions in a specified service.
fc:ListFunctions
acs:fc:<region>:<account-id>:services/<serviceName>.*/functions/<functionName> fc:GetFunction All functions of all versions for a specified service.
fc:UpdateFunction
fc:DeleteFunction
fc:InvokeFunction
fc:PutProvisionConfig
fc:GetProvisionConfig
fc:PutFunctionOnDemandConfig
fc:DeleteFunctionOnDemandConfig
fc:PutFunctionAsyncInvokeConfig
fc:DeleteFunctionAsyncInvokeConfig
fc:GetFunctionAsyncInvokeConfig
fc:GetFunctionOnDemandConfig
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/<triggerName> fc:GetTrigger The specified trigger of a specified function in a specified service.
fc:UpdateTrigger
fc:DeleteTrigger
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/* fc:CreateTrigger All triggers of a specified function in a specified service.
fc:ListTriggers
acs:fc:<region>:<account-id>:services/<serviceName>/versions fc:PublishServiceVersion All service versions.
fc:ListServiceVersions
acs:fc:<region>:<account-id>:services/<serviceName>/versions/<versionID> fc:DeleteServiceVersion The specified service version.
acs:fc:<region>:<account-id>:services/<serviceName>/aliases/* fc:CreateAlias All service aliases.
fc:ListAliases
acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName> fc:GetAlias The specified service alias.
fc:UpdateAlias
fc:DeleteAlias
acs:fc:<region>:<account-id>:custom-domains/* fc:CreateCustomDomain All custom domain names.
fc:ListCustomDomains
acs:fc:<region>:<account-id>:custom-domains/<domainName> fc:GetCustomDomain The specified custom domain name.
fc:UpdateCustomDomain
fc:DeleteCustomDomain
acs:fc:<region>:<account-id>:tag fc:TagResource A single tag.
fc:GetResourceTags
fc:UnTagResource
acs:fc:<region>:<account-id>:tags/* fc:ListTaggedResources All tags.
acs:fc:<region>:<account-id>:account-settings/* fc:GetAccountSettings The settings of your account.
acs:fc:<region>:<account-id>:layerarn/:arn fc:GetLayerVersionByArn All layers.
acs:fc:<region>:<account-id>:layers/* fc:ListLayers
cs:fc:<region>:<account-id>:layers/:layerName/versions/:version fc:PublishLayerAsPublic
acs:fc:<region>:<account-id>:layers/:layerName/versions/* fc:ListLayerVersions All layer versions.
fc:CreateLayerVersion
acs:fc:<region>:<account-id>:layers/:layerName/versions/:version fc:GetLayerVersion
fc:DeleteLayerVersion
acs:fc:<region>:<account-id>:on-demand-configs/* fc:ListOnDemandConfigs The on-demand configurations.
acs:fc:<region>:<account-id>:provision-configs/* fc:ListProvisionConfigs The provisioned configurations.
acs:fc:<region>:<account-id>:services/:serviceName/binding fc:DeleteVpcBinding The VPC configuration.
acs:fc:<region>:<account-id>:services/:serviceName/binding/* fc:CreateVpcBinding
fc:ListVpcBindings
acs:fc:<region>:<account-id>:services/:serviceName/functions/:functionName/async-invoke-configs/* fc:ListFunctionAsyncInvokeConfigs The asynchronous invocation configurations.
acs:fc:<region>:<account-id>:services/:serviceName/functions/:functionName/code fc:GetFunctionCode All function code.
acs:fc:<region>:<account-id>:services/:serviceName/functions/:functionName/stateful-async-invocations/* fc:ListStatefulAsyncInvocations The stateful asynchronous invocation.
acs:fc:<region>:<account-id>:services/:serviceName/functions/:functionName/stateful-async-invocations/:invocationId fc:GetStatefulAsyncInvocation
fc:StopStatefulAsyncInvocation
You can use the preceding actions and resources to define the following custom policy that is used to grant the permissions to invoke the demo function in the test service in the China (Hangzhou) region.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction"
            ],
            "Resource": "acs:fc:cn-hangzhou:*:services/test/functions/demo",
            "Effect": "Allow"
        }
    ]
}

Sample custom policies

Custom policy used to grant the permissions to create and query services, and create and invoke functions

{
"Version": "1",
"Statement": [
 {
   "Action": [
     "fc:CreateService",
     "fc:GetService",
     "fc:CreateFunction",
     "fc:GetFunction",
     "fc:InvokeFunction"
   ],
   "Resource": "*",
   "Effect": "Allow"
 }
]
}

Custom policy used to grant the permissions to access logs

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:ListProject",
                "log:ListLogStore"
            ],
            "Resource": "acs:log:*:*:project/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:ListRoles"
            ],
            "Resource": [
                "acs:ram:*:*:role/*"
            ]
        }
    ]
}

Custom policy used to grant the permissions to access Object Storage Service (OSS) event triggers

{
  "Statement": [
    {
      "Action": [
        "oss:ListBucket",
        "oss:GetBucketEventNotification",
        "oss:PutBucketEventNotification",
        "oss:DeleteBucketEventNotification"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}