This topic describes the permission configurations that are required when you authorize RAM users to use the non-YAML mode of the FC component.
deploy commands
For more information about the configurations of the permissions required to run deploy commands, see the following sections of the Permission configurations topic for the YAML mode:
remove commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- The
AliyunFCFullAccesssystem policy - Custom policies or the AliyunFCReadOnlyAccess system policy:
{ "Version": "1", "Statement": [ { "Action": [ "fc:ListOnDemandConfigs", "fc:DeleteFunctionOnDemandConfig", "fc:ListProvisionConfigs", "fc:PutProvisionConfig", "fc:ListAliases", "fc:DeleteAlias", "fc:ListServiceVersions", "fc:DeleteServiceVersion", "fc:ListTriggers", "fc:DeleteTrigger", "fc:ListFunctions", "fc:DeleteFunction", "fc:DeleteService" ], "Effect": "Allow", "Resource": "*" } ] }{ "Version": "1", "Statement": [ { "Action": [ "fc:DeleteTrigger", "fc:DeleteFunction", "fc:DeleteService" ], "Effect": "Allow", "Resource": "*" } ] }{ "Version": "1", "Statement": [ { "Action": [ "fc:ListTriggers", "fc:DeleteTrigger", "fc:DeleteFunction" ], "Effect": "Allow", "Resource": "*" } ] }{ "Version": "1", "Statement": [ { "Action": [ "fc:DeleteTrigger" ], "Effect": "Allow", "Resource": "*" } ] }- System policy:
AliyunFCReadOnlyAccess - Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteAlias", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>" } ] }
- System policy:
AliyunFCReadOnlyAccess - Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteServiceVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions/<version-id>" } ] }
- System policy:
AliyunFCReadOnlyAccess - Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:PutProvisionConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
- System policy:
AliyunFCReadOnlyAccess - Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteFunctionOnDemandConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
- System policy:
AliyunFCReadOnlyAccess - Custom policy:
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteLayerVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*" } ] }
- System policy:
info and sync commands
To authorize a RAM user to run info or sync commands, attach the AliyunFCReadOnlyAccess system policy to the RAM user.
build and local commands
build and local commands involve only on-premises resources. No permissions on cloud resources are required.
invoke commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- The
AliyunFCInvocationAccessorAliyunFCFullAccesssystem policy. These two system policies grant the highest level of permissions. - Custom policy that grants the lowest level of permissions:
{ "Version": "1", "Statement": [ { "Action": "fc:InvokeFunction", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
logs commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- The
AliyunFCReadOnlyAccessorAliyunLogReadOnlyAccesssystem policy. These two system policies grant the highest level of permissions. - Custom policy that grants the lowest level of permissions:
{ "Version": "1", "Statement": [ { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>", "Effect": "Allow" }, { "Action": "log:GetLogStoreLogs", "Effect": "Allow", "Resource": "acs:log:<region>:<account-id>:project/<project>/logstore/<logstore>" } ] }
metrics commands
To authorize a RAM user to run metrics commands, attach the following system policies to the RAM user:
AliyunLogFullAccessAliyunCloudMonitorReadOnlyAccessAliyunFCReadOnlyAccess
nas commands
For more information about the configurations of the permissions required to run nas commands, see the description of NAS-related configurations in the Configurations of permissions on services section.
layer commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- Run the list, versions, and versionConfig commands: the
AliyunFCReadOnlyAccesssystem policy - Run the publish command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:CreateLayerVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*" } ] }
version commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run the relevant command:
- Run the list command: the
AliyunFCReadOnlyAccesssystem policy - Run the publish command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:PublishServiceVersion", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions" } ] }
alias commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run the relevant command:
- Run the list command: the
AliyunFCReadOnlyAccesssystem policy - Run the publish command: custom policy
{ "Version": "1", "Statement": [ { "Action": [ "fc:CreateAlias", "fc:UpdateAlias" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*" } ] }
provision commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- Run the list and get commands: the
AliyunFCReadOnlyAccesssystem policy - Run the put command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:PutProvisionConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }
onDemand commands
Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:
- Run the list and get commands: the
AliyunFCReadOnlyAccesssystem policy - Run the put command: custom policy
{ "Version": "1", "Statement": [ { "Action": "fc:PutFunctionOnDemandConfig", "Effect": "Allow", "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>" } ] }