All Products
Search
Document Center

Function Compute

Last Updated: Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Function Compute.

The code (RamCode) in RAM that is used to indicate Function Compute is fc. You can grant permissions on Function Compute at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Function Compute. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

fc:CreateAlias

N/A

Write


Alias


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/aliases/*


N/A

N/A

fc:CreateCustomDomain

N/A

Write


CustomDomain


acs:fc:{#regionId}:{#accountId}:custom-domains/*


N/A

N/A

fc:CreateFunction

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/*


N/A

N/A

fc:CreateLayerVersion

N/A

Write


LayerVersion


acs:fc:{#regionId}:{#accountId}:layers/{#layerName}/versions/*


N/A

N/A

fc:CreateService

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/*


N/A

N/A

fc:CreateTrigger

N/A

Write


Trigger


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/triggers/*


N/A

N/A

fc:CreateVpcBinding

N/A

Write


VpcBinding


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/binding/*


N/A

N/A

fc:DeleteAlias

N/A

Write


Alias


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/aliases/{#aliasName}


N/A

N/A

fc:DeleteCustomDomain

N/A

Write


CustomDomain


acs:fc:{#regionId}:{#accountId}:custom-domains/{#domainName}


N/A

N/A

fc:DeleteFunction

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:DeleteFunctionAsyncInvokeConfig

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:DeleteFunctionOnDemandConfig

N/A

Write


FunctionOnDemandConfig


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:DeleteLayerVersion

N/A

Write


LayerVersion


acs:fc:{#regionId}:{#accountId}:layers/{#layerName}/versions/{#version}


N/A

N/A

fc:DeleteService

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}


N/A

N/A

fc:DeleteServiceVersion

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/versions/{#versionId}


N/A

N/A

fc:DeleteTrigger

N/A

Write


Trigger


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/triggers/{#triggerName}


N/A

N/A

fc:DeleteVpcBinding

N/A

Write


VpcBinding


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/binding


N/A

N/A

fc:GetAccountSettings

N/A

List


AccountSettings


acs:fc:{#regionId}:{#accountId}:account-settings/*


N/A

N/A

fc:GetAlias

N/A

Read


Alias


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/aliases/{#aliasName}


N/A

N/A

fc:GetCustomDomain

N/A

Read


CustomDomain


acs:fc:{#regionId}:{#accountId}:custom-domains/{#domainName}


N/A

N/A

fc:GetFunction

N/A

Read


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:GetFunctionAsyncInvokeConfig

N/A

Read


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:GetFunctionCode

N/A

Read


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/code


N/A

N/A

fc:GetFunctionOnDemandConfig

N/A

Read


FunctionOnDemandConfig


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:GetLayerVersion

N/A

Read


LayerVersion


acs:fc:{#regionId}:{#accountId}:layers/{#layerName}/versions/{#version}


N/A

N/A

fc:GetProvisionConfig

N/A

Read


ProvisionConfig


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:GetResourceTags

N/A

Read


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}


N/A

N/A

fc:GetService

N/A

Read


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.{#qualifier}


N/A

N/A

fc:GetStatefulAsyncInvocation

N/A

Read


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/stateful-async-invocations/{#invocationId}


N/A

N/A

fc:GetTrigger

N/A

Read


Trigger


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/triggers/{#triggerName}


N/A

N/A

fc:InvokeFunction

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:ListAliases

N/A

List


Alias


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/aliases/*


N/A

N/A

fc:ListCustomDomains

N/A

List


CustomDomain


acs:fc:{#regionId}:{#accountId}:custom-domains/*


N/A

N/A

fc:ListFunctionAsyncInvokeConfigs

N/A

List


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/async-invoke-configs/*


N/A

N/A

fc:ListFunctionOnDemandConfigs

N/A

List


FunctionOnDemandConfig


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:ListFunctions

N/A

List


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/*


N/A

N/A

fc:ListLayerVersions

N/A

List


LayerVersion


acs:fc:{#regionId}:{#accountId}:layers/{#layerName}/versions/*


N/A

N/A

fc:ListLayers

N/A

List


LayerVersion


acs:fc:{#regionId}:{accountId}:layers/*


N/A

N/A

fc:ListOnDemandConfigs

N/A

List


FunctionOnDemandConfig


acs:fc:{#regionId}:{#accountId}:on-demand-configs/*


N/A

N/A

fc:ListProvisionConfigs

N/A

List


ProvisionConfig


acs:fc:

::provision-configs/*

N/A

N/A

fc:ListServiceVersions

N/A

List


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/versions


N/A

N/A

fc:ListServices

N/A

List


Service


acs:fc:{#regionId}:{#accountId}:services/*


N/A

N/A

fc:ListStatefulAsyncInvocations

N/A

List


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/stateful-async-invocations/*


N/A

N/A

fc:ListTaggedResources

N/A

Read


All resources


acs:fc:{#regionId}:{#accountId}:*


N/A

N/A

fc:ListTriggers

N/A

List


Trigger


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/triggers/*


N/A

N/A

fc:ListVpcBindings

N/A

List


VpcBinding


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/binding/*


N/A

N/A

fc:OpenFcService

N/A

Write


All resources


acs:fc:*:{#accountId}:*


N/A

N/A

fc:PublishServiceVersion

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/versions


N/A

N/A

fc:PutFunctionAsyncInvokeConfig

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:PutFunctionOnDemandConfig

N/A

Write


FunctionOnDemandConfig


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:PutProvisionConfig

N/A

Write


ProvisionConfig


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:StopStatefulAsyncInvocation

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/stateful-async-invocations/{#invocationId}


N/A

N/A

fc:TagResource

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}


N/A

N/A

fc:UntagResource

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}


N/A

N/A

fc:UpdateAlias

N/A

Write


Alias


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/aliases/{#aliasName}


N/A

N/A

fc:UpdateCustomDomain

N/A

Write


CustomDomain


acs:fc:{#regionId}:{#accountId}:custom-domains/{#domainName}


N/A

N/A

fc:UpdateFunction

N/A

Write


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}


Function


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}.*/functions/{#functionName}


N/A

N/A

fc:UpdateService

N/A

Write


Service


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}


N/A

N/A

fc:UpdateTrigger

N/A

Write


Trigger


acs:fc:{#regionId}:{#accountId}:services/{#serviceName}/functions/{#functionName}/triggers/{#triggerName}


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Function Compute.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

CustomDomain

acs:fc:{#regionId}:{#accountId}:customdomain/{#CustomDomainId}

Service

acs:fc:{#regionId}:{#accountId}:service/{#ServiceId}

Function

acs:fc:{#regionId}:{#accountId}:function/{#FunctionId}

Trigger

acs:fc:{#regionId}:{#accountId}:trigger/{#TriggerId}

LayerVersion

acs:fc:{#regionId}:{#accountId}:layerversion/{#LayerName}/{#Version}

Condition

Function Compute does not define service-specific condition keys. For more information about common condition keys that are defined by Alibaba Cloud, see Policy elements.