This topic describes the scenarios, types, and management mechanisms of permissions in Function Compute.

Scenarios

When you use Function Compute to build an application, you may require various permissions, as shown in the following examples:

  • To use Alibaba Cloud Log Service (SLS) to collect function execution logs, you must authorize Function Compute to write function execution logs to the specified Logstore.
  • To use an Alibaba Cloud Object Storage Service (OSS) trigger, you must authorize OSS to invoke functions.
  • When functions need to be managed by different personnel, different personnel must be granted different permissions to access resources such as OSS data under an Alibaba Cloud account. You can create Resource Access Management (RAM) roles and grant different personnel the permissions to access Alibaba Cloud resources by using the RAM roles.

Permission types

To access an Alibaba Cloud service, you must have the access permission on this service. You may require the following permissions related to Function Compute:

  • To access other Alibaba Cloud services, Function Compute must be granted with corresponding permissions.
    Such a permission is granted to a corresponding service. After a permission is granted to a service, all functions of the service have the permission. The following sample code shows how to use context.credentials to access other Alibaba Cloud services:
    // Uses the context parameter to access OSS.
    var OSSClient = require('ali-oss').Wrapper;
    exports.handler = function (event, context, callback) {
        console.log(event.toString());
    
        var ossClient = new OSSClient({
            accessKeyId: context.credentials.accessKeyId,
            accessKeySecret: context.credentials.accessKeySecret,
            stsToken: context.credentials.securityToken,
            region: 'oss-cn-shanghai',
            bucket: 'my-bucket',
        });
    
        ossClient.put('my-object', new Buffer('hello, fc')).then(function (res) {
            callback(null, 'put object');
        }).catch(function (err) {
            callback(err);
        });
    };

    For more information about how to configure service permissions, see Configure service permissions.

  • To trigger function execution by using an event source, you must authorize the event source to access Function Compute.

    Such a permission is granted to the corresponding trigger. You must set permissions for each trigger based on your requirements.

    You can configure permissions for a trigger when you create the trigger. For more information, see the following topics:
  • To allow a RAM user to access Function Compute resources, you must grant the corresponding permission to the RAM user.

    This permission is only granted to RAM users. RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. For more information, see What is RAM? You can grant permissions to RAM users by using your Alibaba Cloud account, which allows RAM users to perform operations on Function Compute resources.

    For more information about how to set permissions for a RAM user, see Grant permissions to a RAM user.

    The following tables list the operation permissions, resource access permissions, and system permissions on Function Compute, which can be granted to RAM users.
    • Operations on Function Compute, which allow authorized access for RAM users
      Operation Description Action
      ListServices Queries services. fc:ListServices
      GetService Queries a specified service. fc:CreateService
      CreateService Creates a service. fc:GetService
      UpdateService Updates a specified service. fc:UpdateService
      DeleteService Deletes a specified service. fc:DeleteService
      ListFunctions Queries functions of a service. fc:ListFunctions
      GetFunction Queries configurations of a specified function. fc:GetFunction
      CreateFunction Creates a function. fc:CreateFunction
      UpdateFunction Updates a function, including its configurations and code. fc:UpdateFunction
      DeleteFunction Deletes a specified function. fc:DeleteFunction
      InvokeFunction Triggers a function in synchronous or asynchronous mode. fc:InvokeFunction
      ListTriggers Queries triggers of a function. fc:ListTriggers
      GetTrigger Queries a specified trigger. fc:GetTrigger
      UpdateTrigger Updates configurations of a specified trigger. fc:UpdateTrigger
      DeleteTrigger Deletes triggers of a specified function. fc:DeleteTrigger
    • Resources that allow authorized access in Function Compute for RAM users
      Resource Description
      acs:fc:<region>:<account-id>:services/<serviceName> The resources of a specified service.
      acs:fc:<region>:<account-id>:services/* All service resources.
      acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier> The service resources of a specified version.
      acs:fc:<region>:<account-id>:services/<serviceName>. * The resources of all versions for a specified service.
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName> The specified function resources in a specified service.
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/* All function resources in a specified service.
      acs:fc:<region>:<account-id>:services/<serviceName>.*/functions/* All function resources of all versions for a specified service.
      acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/* All function resources of a specified version for a specified service.
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/<triggerName> The specified trigger resource of a specified function in a specified service.
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/* All trigger resources of the specified function in a specified service.
    • System policies that can be attached to RAM users in Function Compute

      By default, Function Compute provides three system policies: AliyunFCReadOnlyAccess, AliyunFCInvocationAccess, and AliyunFCFullAccess. You can create custom policies for finer-grained permission management. For more information, see Policy elements.

      • AliyunFCReadOnlyAccess: allows you to read all Function Compute resources.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "fc:Get*",
                        "fc:List*"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • AliyunFCInvocationAccess: allows you to invoke all functions.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "fc:InvokeFunction"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • AliyunFCFullAccess: allows you to perform operations on all Function Compute resources.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "fc:*",
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Custom policy: allows you to execute the bar function in the foo service in the China (Hangzhou) region.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "fc:InvokeFunction"
                    ],
                    "Resource": "acs:fc:cn-hangzhou:*:services/foo/functions/bar",
                    "Effect": "Allow"
                }
            ]
        }

Permission management mechanism

RAM is a resource access control service provided by Alibaba Cloud. Function Compute uses a permission management mechanism based RAM roles.

  • Basic idea of authorization

    A policy indicates the capability to access a service. After the policy is bound to a role, this role can access the service. When a third party needs to access this service, it only needs to assume the role that can access the service. For more information about policies and roles, see Terms for RAM.

  • Authorization examples
    • Authorize Function Compute to access other Alibaba Cloud services
      For example, use Function Compute to access SLS. RAM provides the system policy AliyunLogFullAccess. This policy allows you to have all permissions on SLS. When you configure permissions for a service, you can bind the service to a new role or an existing role. Then, attach the AliyunLogFullAccess policy to the role, which allows access from Function Compute to SLS.Server role
    • Use event sources to access Function Compute
      For example, use OSS event sources to trigger Function Compute code execution. RAM provides the system policy AliyunOSSEventNotificationRole. This policy allows you to trigger execution of Function Compute code by using OSS event sources. When you create a trigger, you can bind the trigger to a new role or an existing role. Then, attach the AliyunOSSEventNotificationRole policy to the role, which allows you to trigger execution of Function Compute code by using OSS event sources.trigger-authorize
    • Use a RAM user to access Function Compute

      For example, grant a RAM user the read permission on all Function Compute resources. Function Compute provides the system policy AliyunFCReadOnlyAccess. After you create a RAM user, you can bind it to a new role or an existing role. Then, attach the AliyunFCReadOnlyAccess policy to the role, which allows the RAM user to read all Function Compute resources.