This topic describes the permission configurations that are required when you authorize Resource Access Management (RAM) users to use the YAML mode of the FC component.

Configurations of permissions on services

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess

  • Lowest level of permissions on deployment operations (granted by using custom policies)
    Note: The fc:GetService permission is optional.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # Specify the Alibaba Cloud Resource Name (ARN) of the role. For more information about the role configurations, see the "Permissions required for a service-linked role" section. 
    # logConfig: auto
    logConfig:
        project: XXX
        logstore: XXX
Note: If the logConfig parameter is set to auto, the value of the project parameter is in the format of {accountID}-{region}-logproject, and the value of the logstore parameter is in the format of 'fc-service-{serviceName}-logstore'.toLocaleLowerCase().
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunLogFullAccess

  • Lowest level of permissions (granted by using custom policies)
    • Custom policies that can be used when the logConfig parameter is not set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • Custom policies that can be used when the logConfig parameter is set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": [
                      "log:GetProject",
                      "log:CreateProject"
                  ],
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "log:CreateLogStore",
                      "log:GetIndex",
                      "log:GetLogStore",
                      "log:CreateIndex"
                  ],
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
                  "Effect": "Allow"
              }
          ]
      }
      
  • Permissions required for a service-linked role
    • Highest level of permissions (granted by using system policies)

      AliyunLogFullAccess

    • Lowest level of permissions (granted by using custom policies)
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:PostLogStoreLogs",
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
                  "Effect": "Allow"
              }
          ]
      }
      
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # Specify the ARN of the configured role. For more information about the role configurations, see the "Permissions required for a service-linked role" section. 
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess, AliyunVPCFullAccess, and AliyunECSFullAccess

  • Lowest level of permissions (granted by using custom policies)
    • Custom policies that can be used when the vpcConfig parameter is not set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              }, 
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • Policies that can be used when the vpcConfig parameter is set to auto
      • System policies

        AliyunVPCReadOnlyAccess

      • Custom policies
        {
            "Version": "1", 
            "Statement": [
               {
                   "Action": "fc:CreateService",
                   "Resource": "acs:fc:<region>:<accountId>:services/*",
                   "Effect": "Allow"
               },
               {
                   "Action": "fc:UpdateService",
                   "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                   "Effect": "Allow"
               },
               {
                   "Action": "fc:GetService",
                   "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                   "Effect": "Allow"
               },
                   {
                   "Action": "ram:PassRole",
                   "Effect": "Allow",
                   "Resource": "*"
               },
               {
                   "Action": "fc:GetAccountSettings",
                   "Effect": "Allow",
                   "Resource": "acs:fc:<region>:<accountId>:account-settings"
               },
               {
                   "Action": [
                       "vpc:CreateVpc",
                       "vpc:CreateVSwitch",
                       "ecs:AuthorizeSecurityGroup",
                       "ecs:DescribeSecurityGroups",
                       "ecs:CreateSecurityGroup"
                   ],
                   "Effect": "Allow",
                   "Resource": "*"
               }
            ]
        }                     
        
Permissions required for a service-linked role
  • System Policies

    AliyunECSNetworkInterfaceManagementAccess

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # Specify the ARN of the configured role. For more information about the role configurations, see the "Permissions required for a service-linked role" section. 
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
    # nasConfig: auto
    nasConfig:
      userId: 10xxx
      groupId: 10xxx
      mountPoints:
        - serverAddr: xxx-xxx.<region>.nas.aliyuncs.com
          nasDir: /unit-deploy-service
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess, AliyunVPCFullAccess, and AliyunNASFullAccess

  • Lowest level of permissions (granted by using custom policies)
    • Custom policies that can be used when the nasConfig parameter is not set to auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • Policies that can be used when the nasConfig parameter is set to auto
      • System policies

        AliyunNASReadOnlyAccess

      • Custom policies
        {
            "Version": "1", 
            "Statement": [
                {
                    "Action": "fc:CreateService",
                    "Resource": "acs:fc:<region>:<accountId>:services/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:UpdateService",
                    "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:GetService",
                    "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:GetAccountSettings",
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:account-settings"
                },
                {
                    "Action": [
                        "fc:UpdateService",
                        "fc:CreateService"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*"
                },
                {
                    "Action": [
                        "fc:InvokeFunction",
                        "fc:CreateFunction",
                        "fc:UpdateFunction"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
                },
                {
                    "Action": [
                      "fc:UpdateTrigger",
                      "fc:CreateTrigger"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
                },
                {
                    "Action": "ram:PassRole",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": [
                        "nas:CreateMountTarget",
                        "nas:DescribeMountTargets",
                        "nas:DescribeFileSystems",
                        "nas:CreateFileSystem",
                        "vpc:DescribeVSwitchAttributes"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ]
        }
        
Permissions required for a service-linked role
  • Highest level of permissions (granted by using system policies)

    AliyunECSNetworkInterfaceManagementAccess

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    tracingConfig: Enable     
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunTracingAnalysisReadOnlyAccess

  • Lowest level of permissions (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }, 
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
role:
  name: unit-fc
  policies:
    - AliyunContainerRegistryReadOnlyAccess
    - name: unit-test-123
      description: test
      statement:
        Action: ram:PassRole
        Effect: Allow
        Resource: '*'
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunRAMFullAccess

  • Lowest level of permissions (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
              "Action": [
                "ram:PassRole",
                "ram:GetRole",
                "ram:CreateRole",
                "ram:ListPoliciesForRole",
                "ram:AttachPolicyToRole",
                "ram:GetPolicy",
                "ram:CreatePolicy",
                "ram:ListPolicyVersions",
                "ram:CreatePolicyVersion",
                "ram:DeletePolicyVersion"
              ],
              "Effect": "Allow",
              "Resource": "*"
            },
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    

Configurations of permissions on functions

function:
    name: event-function
    description: this is a test
    runtime: nodejs12
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess

  • Lowest level of permissions on deployment operations (granted by using custom policies)
    Note: The fc:GetFunction permission is optional.
    {
        "Version": "1", 
        "Statement": [
            {
                "Action": [
                    "fc:GetFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteFunction",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
                "Effect": "Allow"
            }
        ]
    }
    
function:
    name: event-function
    description: this is a test
    runtime: custom-container
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
    customContainerConfig:
          image: xxx
          command: xxx
          args: xxx
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess

  • Lowest level of permissions on deployment operations (granted by using custom policies)
    {
        "Version": "1", 
        "Statement": [
            {
                "Action": [
                    "fc:GetFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
            }
        ]
    }
    
  • Lowest level of permissions on delete operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteFunction",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
                "Effect": "Allow"
            }
        ]
    }
    
Permissions required for a service-linked role
  • System policies

    AliyunContainerRegistryReadOnlyAccess

asyncConfiguration:
		 destination:
			 onSuccess: acs:fc:::services/ServerlessTool.LATEST/functions/serverless_demo_nodejs8_http
			 onFailure: acs:fc:::services/Puppeteer/functions/HtmlToPng
		 maxAsyncEventAgeInSeconds: 456
		 maxAsyncRetryAttempts: 3
		 statefulInvocation: false 
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)
    • AliyunFCFullAccess
    • AliyunMNSReadOnlyAccess: the permissions to access Message Service (MNS).
    • AliyunEventBridgeReadOnlyAccess: the permissions to access EventBridge.
    • AliyunMQReadOnlyAccess: the permissions to access Message Queue for Apache RocketMQ.
    • AliyunFCInvocationAccess: the permissions to invoke functions.
  • Lowest level of permissions (granted by using custom policies)
    Note: The fc:GetFunctionAsyncInvokeConfig permission is optional.
    • System policies
      • AliyunMNSReadOnlyAccess: the permissions that are required if the destination for an asynchronous invocation is MNS.
      • AliyunEventBridgeReadOnlyAccess: the permissions that are required if the destination for an asynchronous invocation is EventBridge.
      • AliyunMQReadOnlyAccess: the permissions that are required if the destination for an asynchronous invocation is Message Queue for Apache RocketMQ.
    • Custom policies
      {
                      "Version": "1",
                      "Statement": [
                          {
                              "Action": "fc:*Service",
                              "Resource": "*",
                              "Effect": "Allow"
                          },
                          {
                              "Action": [
                                  "fc:GetFunction",
                                  "fc:CreateFunction",
                                  "fc:UpdateFunction"
                              ],
                              "Effect": "Allow",
                              "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
                          },
                          {
                              "Action": [
                                  "fc:InvokeFunction",
                                  "fc:GetFunctionAsyncInvokeConfig",
                                  "fc:DeleteFunctionAsyncInvokeConfig",
                                  "fc:PutFunctionAsyncInvokeConfig"
                              ],
                              "Effect": "Allow",
                              "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>.*/functions/*"
                          },
                          {
                              "Action": "ram:PassRole",
                              "Effect": "Allow",
                              "Resource": "*"
                          }
                      ]
                  }
                  

Configurations of permissions on triggers

triggers:
  - name: httpTrigger
     type: http
     #qualifier: LATEST
     config: 
     authType: anonymous
        methods:
          - GET
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                  "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>"
              }
        ]
    }
    
triggers:
  - name: oss
    sourceArn: acs:oss:acs:log:<region>:<accountId>:<buckctName> 
    type: oss
    role: acs:ram::<accountId>:role/aliyunosseventnotificationrole
    #qualifier: LATEST
    config:
     events:
      - oss:ObjectCreated:*
     filter:
      key:
        prefix: xxx
        suffix: xxx
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunOSSFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
              },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "oss:ListBucket",
                    "oss:GetBucketEventNotification",
                    "oss:PutBucketEventNotification",
                    "oss:DeleteBucketEventNotification"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
Permissions required for OSS trigger roles
{
    "Version": "1",
    "Statement": [
        {
            "Action":[
              "fc:InvokeFunction"
            ],
            "Resource":"*",
            "Effect": "Allow"
        }
    ]
}
triggers:
  - name: cdn
    sourceArn: acs:cdn:*:<accountId>
    type: cdn_events
    role: <roleArn>
    #qualifier: LATEST
    config:
      eventName: CachedObjectsBlocked
      eventVersion: 1.0.0
      notes: xxx
      filter:
        domain: example.com     
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunCDNFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
              },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cdn:UpdateFCTrigger",
                    "cdn:DeleteFCTrigger",
                    "cdn:DescribeFCTrigger",
                    "cdn:AddFCTrigger"
                ],            
                "Resource": "*"
            }
        ]
    }
    
Permissions required for CDN trigger roles
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
            "fc:InvokeFunction"
            ],
            "Resource":"*",
            "Effect": "Allow"
        }
    ]
}
triggers:
  - name: log
    sourceArn: acs:log:<region>:<accountId>:project/<projectName>
    type: log
    role: acs:ram::<accountId>:role/aliyunlogetlrole
    #qualifier: LATEST
    config:
        sourceConfig:
          logstore: log
        jobConfig:
          maxRetryTime: 3
          triggerInterval: 60
        functionParameter:
          #key: value
        logConfig:
          project: xxx
          logstore: xxx
        enable: false
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunLogFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                  "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
              },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:GetEtlJob",
                    "log:UpdateEtlJob",
                    "log:CreateEtlJob",
                    "log:DeleteEtlJob"
                ],            
                "Resource": "*"
            }
        ]
    }
    
Permissions required for Log Service trigger roles
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
               "fc:InvokeFunction"
            ],
            "Resource":"*",
            "Effect": "Allow"
        },
        {
             "Action":[
                "log:Get*",
                "log:List*",
                "log:PostProjectQuery",
                "log:PutProjectQuery",
                "log:DeleteProjectQuery",
                "log:GetProjectQuery",
                "log:PostLogStoreLogs",
                "log:BatchPostLogStoreLogs",
                "log:CreateConsumerGroup",
                "log:UpdateConsumerGroup",
                "log:DeleteConsumerGroup",
                "log:ListConsumerGroup",
                "log:ConsumerGroupUpdateCheckPoint",
                "log:ConsumerGroupHeartBeat",
                "log:GetConsumerGroupCheckPoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
            ]
         }
    ]
}
triggers:
  - name: ots
    sourceArn: acs:ots:<region>:<accountId>:instance/<instance>/table/<table>
    type: tablestore
    role:  acr:ram::<accountId>:role/AliyunTableStoreStreamNotificationRole
    #qualifier: LATEST
    config: 
       instanceName: xxx
       tableName: xxx
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunOTSFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                  "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
              },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ots:GetTrigger",
                    "ots:UpdateTrigger",
                    "ots:CreateTrigger",
                    "ots:DeleteTrigger"
                ],            
                "Resource": "*"
            }
        ]
    }
    
Permissions required for Tablestore trigger roles
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
               "ots:BatchGet*",
              "ots:Describe*",						
              "ots:Get*",
              "ots:List*"
           ],
            "Resource":"*",
            "Effect": "Allow"
        },
        {
             "Action":[
                "fc:InvokeFunction"
            ],
            "Resource": "*",
            "Effect": "Allow"
            ]
         }
    ]
}
triggers:
  - name: mns
    sourceArn: acs:mns:<region>:<accountId>:instance/<instance>/table/<table>
    type: mns_topic
    role: acs:ram::<accountId>:role/aliyunmnsnotificationrole
    #qualifier: LATEST
    config: 
        filterTag: xxx
        notifyContentFormat: STREAM
        notifyStrategy: BACKOFF_RETRY
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess and AliyunMNSFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                  "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
              },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "mns:Subscribe",
                    "mns:Unsubscribe"
               ],            
                "Resource": "*"
            }
        ]
    }
    
Permissions required for MNS trigger roles
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
               "fc:InvokeFunction" 
           ],
            "Resource":"*",
            "Effect": "Allow"
        }
     ]
}
triggers:
  - name: timer
    type: timer
    #qualifier: LATEST
    config: 
      payload: '{"s": "ss"}'
      cronExpression: '@every 100m'
      enable: false
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess

  • Lowest level of permissions on operations (granted by using custom policies)
    {
        "Version": "1",
        "Statement": [
            {
                  "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger",
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>"
              }
        ]
    }
    

Configurations of permissions on custom domain names

customDomains:
    - domainName: auto
      protocol: HTTP
      routeConfigs:
        - path: /*
          serviceName: unit-deploy-service
          functionName: event-function
Permissions required for RAM users
  • Highest level of permissions (granted by using system policies)

    AliyunFCFullAccess

  • Lowest level of permissions (granted by using custom policies)
    Note: When domainName is set to auto, permissions on multiple services and functions are involved. You must create an HTTP function that serves as a helper function. After the permissions are granted, the HTTP function is deleted.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteService",
                    "fc:UpdateService",
                    "fc:CreateService"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*"
            },
            {
                "Action": [
                    "fc:DeleteFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
            },
            {
                "Action": [
                  "fc:DeleteTrigger",
                  "fc:UpdateTrigger",
                  "fc:CreateTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
            },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "fc:GetCustomDomain",
                    "fc:UpdateCustomDomain",
                    "fc:CreateCustomDomain"
                ],
                "Resource": "acs:fc:<region>:<accountId>:custom-domains/*",
                "Effect": "Allow"
            }
        ]
    }