This topic describes the permission configurations that may be required when you authorize RAM users to use the YAML mode of the FC component.

Configurations of permissions on services

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using a system policy)

    AliyunFCFullAccess

  • Lowest level of permissions on deploy operations (granted by using a custom policy)
    Note The fc:GetService permission is optional.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # Specify the Alibaba Cloud Resource Name (ARN) of the configured service-linked role. For more information about permissions configurations, see the following description of permissions to be granted to the service-linked role. 
    # logConfig: auto
    logConfig:
        project: XXX
        logstore: XXX
Note If the logConfig parameter is set to auto, the value of the project parameter is in the format of {accountID}-{region}-logproject, and the value of the logstore parameter is in the format of 'fc-service-{serviceName}-logstore'.toLocaleLowerCase().
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using one or more system policies)

    AliyunFCFullAccess and AliyunLogFullAccess

  • Lowest level of permissions (granted by using a custom policy)
    • Custom policy that can be used when the logConfig parameter is not set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • Custom policy that can be used when the logConfig parameter is set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": [
                      "log:GetProject",
                      "log:CreateProject"
                  ],
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "log:CreateLogStore",
                      "log:GetIndex",
                      "log:GetLogStore",
                      "log:CreateIndex"
                  ],
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
                  "Effect": "Allow"
              }
          ]
      }
      
  • Permissions to be granted to the service-linked role
    • Highest level of permissions (granted by using a system policy)

      AliyunLogFullAccess

    • Lowest level of permissions (granted by using a custom policy)
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:PostLogStoreLogs",
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
                  "Effect": "Allow"
              }
          ]
      }
      
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # Specify the ARN of the configured service-linked role. For more information about permissions configurations, see the following description of permissions to be granted to the service-linked role. 
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using one or more system policies)

    AliyunFCFullAccess, AliyunVPCFullAccess, and AliyunECSFullAccess

  • Lowest level of permissions (granted by using a system policy or a custom policy)
    • Custom policy that can be used when the vpcConfig parameter is not set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              }, 
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • Policies that can be used when the vpcConfig parameter is set to auto
      • System policy

        AliyunVPCReadOnlyAccess

      • Custom policy
        {
            "Version": "1", 
            "Statement": [
               {
                   "Action": "fc:CreateService",
                   "Resource": "acs:fc:<region>:<accountId>:services/*",
                   "Effect": "Allow"
               },
               {
                   "Action": "fc:UpdateService",
                   "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                   "Effect": "Allow"
               },
               {
                   "Action": "fc:GetService",
                   "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                   "Effect": "Allow"
               },
                   {
                   "Action": "ram:PassRole",
                   "Effect": "Allow",
                   "Resource": "*"
               },
               {
                   "Action": "fc:GetAccountSettings",
                   "Effect": "Allow",
                   "Resource": "acs:fc:<region>:<accountId>:account-settings"
               },
               {
                   "Action": [
                       "vpc:CreateVpc",
                       "vpc:CreateVSwitch",
                       "ecs:AuthorizeSecurityGroup",
                       "ecs:DescribeSecurityGroups",
                       "ecs:CreateSecurityGroup"
                   ],
                   "Effect": "Allow",
                   "Resource": "*"
               }
            ]
        }                     
        
Permissions to be granted to the service-linked role
  • Permissions granted by using a system policy

    AliyunECSNetworkInterfaceManagementAccess

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # Specify the ARN of the configured service-linked role. For more information about permissions configurations, see the following description of permissions to be granted to the service-linked role. 
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
    # nasConfig: auto
    nasConfig:
      userId: 10xxx
      groupId: 10xxx
      mountPoints:
        - serverAddr: xxx-xxx.<region>.nas.aliyuncs.com
          nasDir: /unit-deploy-service
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using one or more system policies)

    AliyunFCFullAccess, AliyunVPCFullAccess, and AliyunNASFullAccess

  • Lowest level of permissions (granted by using a system policy or a custom policy)
    • Custom policy that can be used when the nasConfig parameter is not set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • Policies that can be used when the nasConfig parameter is set to auto
      • System policy

        AliyunNASReadOnlyAccess

      • Custom policy
        {
            "Version": "1", 
            "Statement": [
                {
                    "Action": "fc:CreateService",
                    "Resource": "acs:fc:<region>:<accountId>:services/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:UpdateService",
                    "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:GetService",
                    "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:GetAccountSettings",
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:account-settings"
                },
                {
                    "Action": [
                        "fc:UpdateService",
                        "fc:CreateService"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*"
                },
                {
                    "Action": [
                        "fc:InvokeFunction",
                        "fc:CreateFunction",
                        "fc:UpdateFunction"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
                },
                {
                    "Action": [
                      "fc:UpdateTrigger",
                      "fc:CreateTrigger"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
                },
                {
                    "Action": "ram:PassRole",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": [
                        "nas:CreateMountTarget",
                        "nas:DescribeMountTargets",
                        "nas:DescribeFileSystems",
                        "nas:CreateFileSystem",
                        "vpc:DescribeVSwitchAttributes"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ]
        }
        
Permissions to be granted to the service-linked role
  • Highest level of permissions (granted by using a system policy)

    AliyunECSNetworkInterfaceManagementAccess

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    tracingConfig: Enable     
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using one or more system policies)

    AliyunFCFullAccess and AliyunTracingAnalysisReadOnlyAccess

  • Lowest level of permissions (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }, 
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
role:
  name: unit-fc
  policies:
    - AliyunContainerRegistryReadOnlyAccess
    - name: unit-test-123
      description: test
      statement:
        Action: ram:PassRole
        Effect: Allow
        Resource: '*'
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using one or more system policies)

    AliyunFCFullAccess and AliyunRAMFullAccess

  • Lowest level of permissions (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
              "Action": [
                "ram:PassRole",
                "ram:GetRole",
                "ram:CreateRole",
                "ram:ListPoliciesForRole",
                "ram:AttachPolicyToRole",
                "ram:GetPolicy",
                "ram:CreatePolicy",
                "ram:ListPolicyVersions",
                "ram:CreatePolicyVersion",
                "ram:DeletePolicyVersion"
              ],
              "Effect": "Allow",
              "Resource": "*"
            },
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    

Configurations of permissions on functions

function:
    name: event-function
    description: this is a test
    runtime: nodejs12
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using a system policy)

    AliyunFCFullAccess

  • Lowest level of permissions on deploy operations (granted by using a custom policy)
    Note The fc:GetFunction permission is optional.
    {
        "Version": "1", 
        "Statement": [
            {
                "Action": [
                    "fc:GetFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteFunction",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
                "Effect": "Allow"
            }
        ]
    }
    
function:
    name: event-function
    description: this is a test
    runtime: custom-container
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
    customContainerConfig:
          image: xxx
          command: xxx
          args: xxx
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using a system policy)

    AliyunFCFullAccess

  • Lowest level of permissions on deploy operations (granted by using a custom policy)
    {
        "Version": "1", 
        "Statement": [
            {
                "Action": [
                    "fc:GetFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteFunction",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
                "Effect": "Allow"
            }
        ]
    }
    
Permissions to be granted to the service-linked role
  • Permissions granted by using a system policy

    AliyunContainerRegistryReadOnlyAccess

asyncConfiguration:
		 destination:
			 onSuccess: acs:fc:::services/ServerlessTool.LATEST/functions/serverless_demo_nodejs8_http
			 onFailure: acs:fc:::services/Puppeteer/functions/HtmlToPng
		 maxAsyncEventAgeInSeconds: 456
		 maxAsyncRetryAttempts: 3
		 statefulInvocation: false 
Permissions to be granted to RAM users
  • Highest level of permissions (granted by using one or more system policies)
    • AliyunFCFullAccess
    • AliyunMNSReadOnlyAccess: the system policy that grants the permissions to access Message Service (MNS).
    • AliyunEventBridgeReadOnlyAccess: the system policy that grants the permissions to access EventBridge.
    • AliyunMQReadOnlyAccess: the system policy that grants the permissions to access Message Queue for Apache RocketMQ.
    • AliyunFCInvocationAccess: the system policy that grants the permissions to invoke functions.
  • Lowest level of permissions (granted by using a system policy or a custom policy)
    Note The fc:GetFunctionAsyncInvokeConfig policy is optional.
    • System policies
      • AliyunMNSReadOnlyAccess: Use this system policy if the destination for an asynchronous invocation is MNS.
      • AliyunEventBridgeReadOnlyAccess: Use this system policy if the destination for an asynchronous invocation is EventBridge.
      • AliyunMQReadOnlyAccess: Use this system policy if the destination for an asynchronous invocation is Message Queue for Apache RocketMQ.
    • Custom policy
      {
                      "Version": "1",
                      "Statement": [
                          {
                              "Action": "fc:*Service",
                              "Resource": "*",
                              "Effect": "Allow"
                          },
                          {
                              "Action": [
                                  "fc:GetFunction",
                                  "fc:CreateFunction",
                                  "fc:UpdateFunction"
                              ],
                              "Effect": "Allow",
                              "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
                          },
                          {
                              "Action": [
                                  "fc:InvokeFunction",
                                  "fc:GetFunctionAsyncInvokeConfig",
                                  "fc:DeleteFunctionAsyncInvokeConfig",
                                  "fc:PutFunctionAsyncInvokeConfig"
                              ],
                              "Effect": "Allow",
                              "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>.*/functions/*"
                          },
                          {
                              "Action": "ram:PassRole",
                              "Effect": "Allow",
                              "Resource": "*"
                          }
                      ]
                  }
                  

Configurations of permissions on triggers

triggers:
    - name: httpTrigger
      type: http
      config:
        authType: anonymous
        methods:
          - GET
          - POST
Function permissions to be granted to RAM users
  • Highest level of permissions (granted by using a system policy)

    AliyunFCFullAccess

  • Lowest level of permissions on deploy operations (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using a custom policy)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteTrigger",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/*",
                "Effect": "Allow"
            }
        ]
    }
    

Configurations of permissions on custom domain names

customDomains:
    - domainName: auto
      protocol: HTTP
      routeConfigs:
        - path: /*
          serviceName: unit-deploy-service
          functionName: event-function
Function permissions to be granted to RAM users
  • Highest level of permissions (granted by using a system policy)

    AliyunFCFullAccess

  • Lowest level of permissions (granted by using a custom policy)
    Note A custom domain name involves permissions on multiple services and functions because the domainName parameter is set to auto. You must create an HTTP function that serves as a helper function during the authorization process. After the permissions are granted, the HTTP function is deleted.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteService",
                    "fc:UpdateService",
                    "fc:CreateService"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*"
            },
            {
                "Action": [
                    "fc:DeleteFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
            },
            {
                "Action": [
                  "fc:DeleteTrigger",
                  "fc:UpdateTrigger",
                  "fc:CreateTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
            },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "fc:GetCustomDomain",
                    "fc:UpdateCustomDomain",
                    "fc:CreateCustomDomain"
                ],
                "Resource": "acs:fc:<region>:<accountId>:custom-domains/*",
                "Effect": "Allow"
            }
        ]
    }