This topic describes the permission configurations that may be required when you authorize RAM users to use the command mode of the FC component.

deploy commands

For more information about the configurations of the permissions required to run deploy commands, see the following sections of the Permission configurations topic for the YAML mode:

remove commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:

  • The AliyunFCFullAccess system policy
  • Custom policies or the AliyunFCReadOnlyAccess system policy:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:ListOnDemandConfigs",
                    "fc:DeleteFunctionOnDemandConfig",
                    "fc:ListProvisionConfigs",
                    "fc:PutProvisionConfig",
                    "fc:ListAliases",
                    "fc:DeleteAlias",
                    "fc:ListServiceVersions",
                    "fc:DeleteServiceVersion",
                    "fc:ListTriggers",
                    "fc:DeleteTrigger",
                    "fc:ListFunctions",
                    "fc:DeleteFunction",
                    "fc:DeleteService"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteTrigger",
                    "fc:DeleteFunction",
                    "fc:DeleteService"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:ListTriggers",
                    "fc:DeleteTrigger",
                    "fc:DeleteFunction"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]   
    }
    
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
    • System policy: AliyunFCReadOnlyAccess
    • Custom policy:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteAlias",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>"
              }
          ]
      }
      
    • System policy: AliyunFCReadOnlyAccess
    • Custom policy:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteServiceVersion",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions/<version-id>"
              }
          ]
      }
      
    • System policy: AliyunFCReadOnlyAccess
    • Custom policy:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:PutProvisionConfig",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
              }
          ]
      }
      
    • System policy: AliyunFCReadOnlyAccess
    • Custom policy:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteFunctionOnDemandConfig",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
              }
          ]
      }
      
    • System policy: AliyunFCReadOnlyAccess
    • Custom policy:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteLayerVersion",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
              }
          ]
      }
      

info and sync commands

To authorize a RAM user to run info or sync commands, attach the AliyunFCReadOnlyAccess system policy to the RAM user.

build and local commands

build and local commands involve only on-premises resources. No permissions on cloud resources are required.

invoke commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:

  • The AliyunFCInvocationAccess or AliyunFCFullAccess system policy. These two system policies grant the highest level of permissions.
  • Custom policy that grants the lowest level of permissions:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:InvokeFunction",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/<functionName>"
            }
        ]
    }

logs commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:

  • The AliyunFCReadOnlyAccess or AliyunLogReadOnlyAccess system policy. These two system policies grant the highest level of permissions.
  • Custom policy that grants the lowest level of permissions:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
                "Effect": "Allow"
            },                
            {
                "Action": "log:GetLogStoreLogs",
                "Effect": "Allow",
                "Resource": "acs:log:<region>:<account-id>:project/<project>/logstore/<logstore>"
            }
        ]
    }

metrics commands

To authorize a RAM user to run metrics commands, attach the following system policies to the RAM user:

  • AliyunLogFullAccess
  • AliyunCloudMonitorReadOnlyAccess
  • AliyunFCReadOnlyAccess

nas commands

For more information about the configurations of the permissions required to run nas commands, see the description of NAS-related configurations in the Configurations of permissions on services section.

layer commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:

  • Run the list, versions, and versionConfig commands: the AliyunFCReadOnlyAccess system policy
  • Run the publish command: custom policy
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateLayerVersion",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
            }
        ]
    }

version commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run the relevant command:

  • Run the list command: the AliyunFCReadOnlyAccess system policy
  • Run the publish command: custom policy
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:PublishServiceVersion",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions"
            }
        ]
    }

alias commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run the relevant command:

  • Run the list command: the AliyunFCReadOnlyAccess system policy
  • Run the publish command: custom policy
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                  "fc:CreateAlias",
                  "fc:UpdateAlias"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*"
            }
        ]
    }

provision commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:

  • Run the list and get commands: the AliyunFCReadOnlyAccess system policy
  • Run the put command: custom policy
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:PutProvisionConfig",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
            }
        ]
    }

onDemand commands

Attach one of the following policies to a RAM user as required to authorize the RAM user to run one or more commands:

  • Run the list and get commands: the AliyunFCReadOnlyAccess system policy
  • Run the put command: custom policy
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:PutFunctionOnDemandConfig",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
            }
        ]
    }