This topic describes the permission configurations that are required when you authorize RAM users to use the non-YAML mode of the FC component.
deploy commands
For more information about the configurations of the permissions required to run deploy commands, see the following sections of the Permission configurations topic for the YAML mode:
remove commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- The
AliyunFCFullAccess
system policy - Custom policies or the AliyunFCReadOnlyAccess system policy:
{ "Version": "1", "Statement": [ { "Action": [ "fc:ListOnDemandConfigs", "fc:DeleteFunctionOnDemandConfig", "fc:ListProvisionConfigs", "fc:PutProvisionConfig", "fc:ListAliases", "fc:DeleteAlias", "fc:ListServiceVersions", "fc:DeleteServiceVersion", "fc:ListTriggers", "fc:DeleteTrigger", "fc:ListFunctions", "fc:DeleteFunction", "fc:DeleteService" ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:DeleteTrigger", "fc:DeleteFunction", "fc:DeleteService" ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:ListTriggers", "fc:DeleteTrigger", "fc:DeleteFunction" ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:DeleteTrigger" ], "Effect": "Allow", "Resource": "*" } ] }
- System policy:
AliyunFCReadOnlyAccess
- Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteAlias", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>" } ] }
- System policy:
AliyunFCReadOnlyAccess
- Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteServiceVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions/<version-id>" } ] }
- System policy:
AliyunFCReadOnlyAccess
- Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:PutProvisionConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
- System policy:
AliyunFCReadOnlyAccess
- Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteFunctionOnDemandConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
- System policy:
AliyunFCReadOnlyAccess
- Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteLayerVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*" } ] }
- System policy:
info and sync commands
To authorize a RAM user to run info or sync commands, attach the AliyunFCReadOnlyAccess
system policy to the RAM user.
build and local commands
build and local commands involve only on-premises resources. No permissions on cloud resources are required.
invoke commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- The
AliyunFCInvocationAccess
orAliyunFCFullAccess
system policy. These two system policies grant the highest level of permissions. - Custom policy that grants the lowest level of permissions:
{ "Version": "1", "Statement": [ { "Action": "fc:InvokeFunction", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
logs commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- The
AliyunFCReadOnlyAccess
orAliyunLogReadOnlyAccess
system policy. These two system policies grant the highest level of permissions. - Custom policy that grants the lowest level of permissions:
{ "Version": "1", "Statement": [ { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>", "Effect": "Allow" }, { "Action": "log:GetLogStoreLogs", "Effect": "Allow", "Resource": "acs:log:<region>:<account-id>:project/<project>/logstore/<logstore>" } ] }
metrics commands
To authorize a RAM user to run metrics commands, attach the following system policies to the RAM user:
AliyunLogFullAccess
AliyunCloudMonitorReadOnlyAccess
AliyunFCReadOnlyAccess
nas commands
For more information about the configurations of the permissions required to run nas commands, see the description of NAS-related configurations in the Configurations of permissions on services section.
layer commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- Run the list, versions, and versionConfig commands: the
AliyunFCReadOnlyAccess
system policy - Run the publish command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:CreateLayerVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*" } ] }
version commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run the relevant command:
- Run the list command: the
AliyunFCReadOnlyAccess
system policy - Run the publish command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:PublishServiceVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions" } ] }
alias commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run the relevant command:
- Run the list command: the
AliyunFCReadOnlyAccess
system policy - Run the publish command: custom policy
{ "Version": "1", "Statement": [ { "Action": [ "fc:CreateAlias", "fc:UpdateAlias" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*" } ] }
provision commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- Run the list and get commands: the
AliyunFCReadOnlyAccess
system policy - Run the put command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:PutProvisionConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
onDemand commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- Run the list and get commands: the
AliyunFCReadOnlyAccess
system policy - Run the put command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:PutFunctionOnDemandConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }