This topic describes the permission configurations that are required when you authorize Resource Access Management (RAM) users to use the YAML mode of the FC component.
Configurations of permissions on services
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
- Lowest level of permissions on deployment operations (granted by using custom policies)Note: The
fc:GetService
permission is optional.{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" } ] }
- Lowest level of permissions on delete operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" } ] }
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true role: <role-arn> # Specify the Alibaba Cloud Resource Name (ARN) of the role. For more information about the role configurations, see the "Permissions required for a service-linked role" section. # logConfig: auto logConfig: project: XXX logstore: XXX
{accountID}-{region}-logproject
, and the value of the logstore parameter is in the format of 'fc-service-{serviceName}-logstore'.toLocaleLowerCase()
.
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunLogFullAccess
- Lowest level of permissions (granted by using custom policies)
- Custom policies that can be used when the logConfig parameter is not set to auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- Custom policies that can be used when the logConfig parameter is set to auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "log:GetProject", "log:CreateProject" ], "Resource": "acs:log:<region>:<accountId>:project/<projectName>", "Effect": "Allow" }, { "Action": [ "log:CreateLogStore", "log:GetIndex", "log:GetLogStore", "log:CreateIndex" ], "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>", "Effect": "Allow" } ] }
Permissions required for a service-linked role - Custom policies that can be used when the logConfig parameter is not set to auto
- Highest level of permissions (granted by using system policies)
AliyunLogFullAccess
- Lowest level of permissions (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": "log:PostLogStoreLogs", "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>", "Effect": "Allow" } ] }
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true role: <role-arn> # Specify the ARN of the configured role. For more information about the role configurations, see the "Permissions required for a service-linked role" section. # vpcConfig: auto vpcConfig: vpcId: xxx securityGroupId: xxx vswitchIds: - vsw-xxx
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
,AliyunVPCFullAccess
, andAliyunECSFullAccess
- Lowest level of permissions (granted by using custom policies)
- Custom policies that can be used when the vpcConfig parameter is not set to auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- Policies that can be used when the vpcConfig parameter is set to auto
- System policies
AliyunVPCReadOnlyAccess
- Custom policies
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": "fc:GetAccountSettings", "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:account-settings" }, { "Action": [ "vpc:CreateVpc", "vpc:CreateVSwitch", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroups", "ecs:CreateSecurityGroup" ], "Effect": "Allow", "Resource": "*" } ] }
- System policies
- Custom policies that can be used when the vpcConfig parameter is not set to auto
- System Policies
AliyunECSNetworkInterfaceManagementAccess
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true role: <role-arn> # Specify the ARN of the configured role. For more information about the role configurations, see the "Permissions required for a service-linked role" section. # vpcConfig: auto vpcConfig: vpcId: xxx securityGroupId: xxx vswitchIds: - vsw-xxx # nasConfig: auto nasConfig: userId: 10xxx groupId: 10xxx mountPoints: - serverAddr: xxx-xxx.<region>.nas.aliyuncs.com nasDir: /unit-deploy-service
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
,AliyunVPCFullAccess
, andAliyunNASFullAccess
- Lowest level of permissions (granted by using custom policies)
- Custom policies that can be used when the nasConfig parameter is not set to auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- Policies that can be used when the nasConfig parameter is set to auto
- System policies
AliyunNASReadOnlyAccess
- Custom policies
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetAccountSettings", "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:account-settings" }, { "Action": [ "fc:UpdateService", "fc:CreateService" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*" }, { "Action": [ "fc:InvokeFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*" }, { "Action": [ "fc:UpdateTrigger", "fc:CreateTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "nas:CreateMountTarget", "nas:DescribeMountTargets", "nas:DescribeFileSystems", "nas:CreateFileSystem", "vpc:DescribeVSwitchAttributes" ], "Effect": "Allow", "Resource": "*" } ] }
- System policies
- Custom policies that can be used when the nasConfig parameter is not set to auto
- Highest level of permissions (granted by using system policies)
AliyunECSNetworkInterfaceManagementAccess
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true tracingConfig: Enable
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunTracingAnalysisReadOnlyAccess
- Lowest level of permissions (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
role:
name: unit-fc
policies:
- AliyunContainerRegistryReadOnlyAccess
- name: unit-test-123
description: test
statement:
Action: ram:PassRole
Effect: Allow
Resource: '*'
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunRAMFullAccess
- Lowest level of permissions (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "ram:PassRole", "ram:GetRole", "ram:CreateRole", "ram:ListPoliciesForRole", "ram:AttachPolicyToRole", "ram:GetPolicy", "ram:CreatePolicy", "ram:ListPolicyVersions", "ram:CreatePolicyVersion", "ram:DeletePolicyVersion" ], "Effect": "Allow", "Resource": "*" }, { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" } ] }
Configurations of permissions on functions
function: name: event-function description: this is a test runtime: nodejs12 codeUri: ./ handler: index.handler memorySize: 128 timeout: 60
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
- Lowest level of permissions on deployment operations (granted by using custom policies)Note: The
fc:GetFunction
permission is optional.{ "Version": "1", "Statement": [ { "Action": [ "fc:GetFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*" } ] }
- Lowest level of permissions on delete operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteFunction", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>", "Effect": "Allow" } ] }
function: name: event-function description: this is a test runtime: custom-container codeUri: ./ handler: index.handler memorySize: 128 timeout: 60 customContainerConfig: image: xxx command: xxx args: xxx
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
- Lowest level of permissions on deployment operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*" } ] }
- Lowest level of permissions on delete operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteFunction", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>", "Effect": "Allow" } ] }
- System policies
AliyunContainerRegistryReadOnlyAccess
asyncConfiguration: destination: onSuccess: acs:fc:::services/ServerlessTool.LATEST/functions/serverless_demo_nodejs8_http onFailure: acs:fc:::services/Puppeteer/functions/HtmlToPng maxAsyncEventAgeInSeconds: 456 maxAsyncRetryAttempts: 3 statefulInvocation: false
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
AliyunMNSReadOnlyAccess
: the permissions to access Message Service (MNS).AliyunEventBridgeReadOnlyAccess
: the permissions to access EventBridge.AliyunMQReadOnlyAccess
: the permissions to access Message Queue for Apache RocketMQ.AliyunFCInvocationAccess
: the permissions to invoke functions.
- Lowest level of permissions (granted by using custom policies)Note: The
fc:GetFunctionAsyncInvokeConfig
permission is optional.- System policies
AliyunMNSReadOnlyAccess
: the permissions that are required if the destination for an asynchronous invocation is MNS.AliyunEventBridgeReadOnlyAccess
: the permissions that are required if the destination for an asynchronous invocation is EventBridge.AliyunMQReadOnlyAccess
: the permissions that are required if the destination for an asynchronous invocation is Message Queue for Apache RocketMQ.
- Custom policies
{ "Version": "1", "Statement": [ { "Action": "fc:*Service", "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:GetFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*" }, { "Action": [ "fc:InvokeFunction", "fc:GetFunctionAsyncInvokeConfig", "fc:DeleteFunctionAsyncInvokeConfig", "fc:PutFunctionAsyncInvokeConfig" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>.*/functions/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- System policies
Configurations of permissions on triggers
triggers: - name: httpTrigger type: http #qualifier: LATEST config: authType: anonymous methods: - GET
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>" } ] }
triggers: - name: oss sourceArn: acs:oss:acs:log:<region>:<accountId>:<buckctName> type: oss role: acs:ram::<accountId>:role/aliyunosseventnotificationrole #qualifier: LATEST config: events: - oss:ObjectCreated:* filter: key: prefix: xxx suffix: xxx
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunOSSFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "oss:ListBucket", "oss:GetBucketEventNotification", "oss:PutBucketEventNotification", "oss:DeleteBucketEventNotification" ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action":[ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" } ] }
triggers: - name: cdn sourceArn: acs:cdn:*:<accountId> type: cdn_events role: <roleArn> #qualifier: LATEST config: eventName: CachedObjectsBlocked eventVersion: 1.0.0 notes: xxx filter: domain: example.com
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunCDNFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cdn:UpdateFCTrigger", "cdn:DeleteFCTrigger", "cdn:DescribeFCTrigger", "cdn:AddFCTrigger" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" } ] }
triggers: - name: log sourceArn: acs:log:<region>:<accountId>:project/<projectName> type: log role: acs:ram::<accountId>:role/aliyunlogetlrole #qualifier: LATEST config: sourceConfig: logstore: log jobConfig: maxRetryTime: 3 triggerInterval: 60 functionParameter: #key: value logConfig: project: xxx logstore: xxx enable: false
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunLogFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "log:GetEtlJob", "log:UpdateEtlJob", "log:CreateEtlJob", "log:DeleteEtlJob" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" }, { "Action":[ "log:Get*", "log:List*", "log:PostProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery", "log:GetProjectQuery", "log:PostLogStoreLogs", "log:BatchPostLogStoreLogs", "log:CreateConsumerGroup", "log:UpdateConsumerGroup", "log:DeleteConsumerGroup", "log:ListConsumerGroup", "log:ConsumerGroupUpdateCheckPoint", "log:ConsumerGroupHeartBeat", "log:GetConsumerGroupCheckPoint" ], "Resource": "*", "Effect": "Allow" ] } ] }
triggers: - name: ots sourceArn: acs:ots:<region>:<accountId>:instance/<instance>/table/<table> type: tablestore role: acr:ram::<accountId>:role/AliyunTableStoreStreamNotificationRole #qualifier: LATEST config: instanceName: xxx tableName: xxx
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunOTSFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ots:GetTrigger", "ots:UpdateTrigger", "ots:CreateTrigger", "ots:DeleteTrigger" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "ots:BatchGet*", "ots:Describe*", "ots:Get*", "ots:List*" ], "Resource":"*", "Effect": "Allow" }, { "Action":[ "fc:InvokeFunction" ], "Resource": "*", "Effect": "Allow" ] } ] }
triggers: - name: mns sourceArn: acs:mns:<region>:<accountId>:instance/<instance>/table/<table> type: mns_topic role: acs:ram::<accountId>:role/aliyunmnsnotificationrole #qualifier: LATEST config: filterTag: xxx notifyContentFormat: STREAM notifyStrategy: BACKOFF_RETRY
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
andAliyunMNSFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "mns:Subscribe", "mns:Unsubscribe" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" } ] }
triggers: - name: timer type: timer #qualifier: LATEST config: payload: '{"s": "ss"}' cronExpression: '@every 100m' enable: false
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
- Lowest level of permissions on operations (granted by using custom policies)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>" } ] }
Configurations of permissions on custom domain names
customDomains: - domainName: auto protocol: HTTP routeConfigs: - path: /* serviceName: unit-deploy-service functionName: event-function
- Highest level of permissions (granted by using system policies)
AliyunFCFullAccess
- Lowest level of permissions (granted by using custom policies)Note: When domainName is set to
auto
, permissions on multiple services and functions are involved. You must create an HTTP function that serves as a helper function. After the permissions are granted, the HTTP function is deleted.{ "Version": "1", "Statement": [ { "Action": [ "fc:DeleteService", "fc:UpdateService", "fc:CreateService" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*" }, { "Action": [ "fc:DeleteFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*" }, { "Action": [ "fc:DeleteTrigger", "fc:UpdateTrigger", "fc:CreateTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "fc:GetCustomDomain", "fc:UpdateCustomDomain", "fc:CreateCustomDomain" ], "Resource": "acs:fc:<region>:<accountId>:custom-domains/*", "Effect": "Allow" } ] }