edit-icon download-icon

User permissions

Last Updated: Oct 15, 2018

Resource Access Management (RAM) is a service provided by Alibaba Cloud for controlling resource access through permission levels.

Function Compute grants a RAM role required permissions. Specifically, when Function Compute assigns a specific policy (the capability to access a certain service) to a role, the role can access the service. If a third-party needs to access the same service, it can assume the role that has the service access permission.

Use case

When you use Function Compute to build an application, you must manage multiple permissions. For example:

  • To use Alibaba Cloud Log Service to collect function execution log entries, you must authorize Function Compute to write log entries to your specified Logstore.

  • To use the Alibaba Cloud Object Storage Service (OSS) trigger, you must authorize OSS to call functions.

  • If your function needs to access Alibaba Cloud resources in your account (for example, data in OSS), you can create a RAM role and grant required permissions to it. Function Compute then assumes the role to run functions for you.

Types of permission

To access an Alibaba Cloud product, you must have the permission to access it. The following permissions are involved in Function Compute:

  • Permission for Function Compute to access other Alibaba Cloud products. This permission is to authorize roles for services.

  • Permission for event sources to access Function Compute so that function execution can be triggered. This permission is to authorize roles for triggers.

Permissions for services

In Function Compute, policies are assigned directly to Function Compute and roles are associated with services. You can configure a service role either when you create or update a service. All functions of a service inherit the policy of the service role.

The following process describes how Function Compute accesses Log Service:

  1. RAM assigns Function Compute the AliyunLogFullAccess policy so that Function Compute can perform any operations on Log Service.

  2. When you create a service, you must assign a role to the service. You can either create a role or use an existing role.

  3. Assign the AliyunLogFullAccess policy to the role.

After the preceding steps are performed, Function Compute can access Log Service.

  1. ![service role](https://pitcures.oss-cn-hangzhou.aliyuncs.com/BlogPictures/%E7%94%A8%E6%88%B7%E6%8C%87%E5%8D%97/%E8%A7%92%E8%89%B2%E7%AE%80%E4%BB%8B/service-role.png)

Configure service role in the console

The following example shows how to configure a service role when creating a service.

  1. Log on to the console.

  2. Click Create Services.

  3. In the Role Config sector, select Create new role and select a role in the drop-down list.

    RoleConfig

The following example shows how to configure a service role when updating a service.

  1. Log on to the console.

  2. Select the region.

  3. Select one service, and click Edit in the Advanced Configurations.

    EditServices

  4. Scroll down and in the Role Config sector, select Create new role and select a role in the drop-down list.

Configure service role by using fcli

In the following command, replace 12345 with your own Alibaba Cloud account ID.

  1. // Create a RAM role named fc-service-role.
  2. mksr fc-service-role
  3. // Create a policy named fc-oss-gp that can read resources from and write resources to OSS.
  4. mkrp fc-oss-gp -a '["oss:GetObject", "oss:PutObject"]' -r '"*"'
  5. // Assign the fc-oss-gp policy to the fc-service-role role so that it can read resources from and write resources to OSS.
  6. attach -p /ram/policies/fc-oss-gp -r /ram/roles/fc-service-role
  7. // Create a service named oss_demo and associate it with the fc-service-role role. All functions of the oss_demo service can assume the fc-service-role role to read resources from and write resources to OSS.
  8. mks oss_demo -r acs:ram::12345:role/fc-service-role

Permissions for triggers

This type of permission authorizes event sources of a certain product to trigger code execution in Function Compute. The permission is authorized to other products instead of Function Compute. For example, to use an OSS trigger, you must authorize OSS event sources to trigger a function execution when an object is uploaded to or deleted from OSS.

When you create a trigger, you must configure a role for it. When an event source is triggered, you can use this role to run the corresponding function.

trigger role

Configure role for trigger in the console

  1. Log on to the console.

  2. See topic Trigger operation to create a trigger.

    Select Create new role for Role Operation.

    trigger role

Configure role for trigger by using fcli

In the following command, replace 12345 with your own Alibaba Cloud account ID.

  1. // Create a trigger
  2. mkt testTrigger -t oss -r acs:ram::12345:role/AliyunOSSEventNotificationRole -s acs:oss:cn-shanghai:12345:bucketName -c ossTrigger.yaml

The following shows the content in the ossTrigger.yaml file.

  1. triggerConfig:
  2. events:
  3. - oss:ObjectCreated:PostObject
  4. - oss:ObjectCreated:PutObject
  5. filter:
  6. key:
  7. prefix: source/
Thank you! We've received your feedback.