This topic describes the scenarios, types, and management mechanisms of permissions in Function Compute.
Scenarios
When you use Function Compute to build an application, you may require various permissions, as shown in the following examples:
- To use Alibaba Cloud Log Service to collect function execution logs, you must authorize Function Compute to write function execution logs to the specified Logstore.
- To use an Alibaba Cloud Object Storage Service (OSS) trigger, you must authorize OSS to invoke functions.
- When functions need to be managed by different personnel, different personnel must be granted different permissions to access resources such as OSS data under an Alibaba Cloud account. You can create Resource Access Management (RAM) roles and grant different personnel the permissions to access Alibaba Cloud resources by using the RAM roles.
Permission types
To access an Alibaba Cloud service, you must have the access permission on this service. You may require the following permissions related to Function Compute:
- To access other Alibaba Cloud services, Function Compute must be granted with corresponding
permissions.
Such a permission is granted to a corresponding service. After a permission is granted to a service, all functions of the service have the permission. The following sample code shows how to use
context.credentials
to access other Alibaba Cloud services:// Uses the context parameter to access OSS. var OSSClient = require('ali-oss').Wrapper; exports.handler = function (event, context, callback) { console.log(event.toString()); var ossClient = new OSSClient({ accessKeyId: context.credentials.accessKeyId, accessKeySecret: context.credentials.accessKeySecret, stsToken: context.credentials.securityToken, region: 'oss-cn-shanghai', bucket: 'my-bucket', }); ossClient.put('my-object', new Buffer('hello, fc')).then(function (res) { callback(null, 'put object'); }).catch(function (err) { callback(err); }); };
For more information about how to configure service permissions, see Configure service permissions.
- To trigger function execution by using an event source, you must authorize the event
source to access Function Compute.
Such a permission is granted to the corresponding trigger. You must set permissions for each trigger based on your requirements.
You can configure permissions for a trigger when you create the trigger. For more information, see the following topics: - To allow a RAM user to access Function Compute resources, you must grant the corresponding
permission to the RAM user.
This permission is only granted to RAM users. RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. For more information, see What is RAM You can grant permissions to RAM users by using your Alibaba Cloud account, which allows RAM users to perform operations on Function Compute resources.
For more information about how to set permissions for a RAM user, see Grant permissions to a RAM user.
The following tables list the operation permissions, resource access permissions, and system permissions on Function Compute, which can be granted to RAM users.- RAM custom policies for permissions on Function Compute
Resource Action Description acs:fc:<region>:<account-id>:services/<serviceName> fc:GetService The resources of a specified service. fc:UpdateService fc:DeleteService acs:fc:<region>:<account-id>:services/* fc:CreateService All service resources. fc:ListServices acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier> fc:GetService The service resources of a specified version. acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName> fc:GetFunction The specified function resources in a specified service. fc:UpdateFunction fc:DeleteFunction fc:InvokeFunction acs:fc:<region>:<account-id>:services/<serviceName>/functions/* fc:CreateFunction All function resources in a specified service. fc:ListFunctions acs:fc:<region>:<account-id>:services/<serviceName>.*/functions/<functionName> fc:GetFunction All function resources of all versions for a specified service. fc:UpdateFunction fc:DeleteFunction fc:InvokeFunction fc:PutProvisionConfig fc:GetProvisionConfig fc:PutFunctionOnDemandConfig fc:DeleteFunctionOnDemandConfig fc:GetFunctionOnDemandConfig acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/<triggerName> fc:GetTrigger The specified trigger resource of a specified function in a specified service. fc:UpdateTrigger fc:DeleteTrigger acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/* fc:CreateTrigger All trigger resources of the specified function in a specified service. fc:ListTriggers acs:fc:<region>:<account-id>:services/<serviceName>/versions fc:PublishServiceVersion All versions. fc:ListServiceVersions acs:fc:<region>:<account-id>:services/<serviceName>/versions/<versionID> fc:DeleteServiceVersion Specified versions. acs:fc:<region>:<account-id>:services/<serviceName>/aliases/* fc:CreateAlias All aliases. fc:ListAliases acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName> fc:GetAlias Specified aliases. fc:UpdateAlias fc:DeleteAlias acs:fc:<region>:<account-id>:custom-domains/* fc:CreateCustomDomain All custom domains. fc:ListCustomDomains acs:fc:<region>:<account-id>:custom-domains/<domainName> fc:GetCustomDomain Specified custom domains. fc:UpdateCustomDomain fc:DeleteCustomDomain acs:fc:<region>:<account-id>:tag fc:TagResource A single tag. fc:GetResourceTags fc:UnTagResource acs:fc:<region>:<account-id>:tags/* fc:ListTaggedResources All tags. - System policies that can be attached to RAM users in Function Compute
By default, Function Compute provides three system policies: AliyunFCReadOnlyAccess, AliyunFCInvocationAccess, and AliyunFCFullAccess. You can create custom policies for finer-grained permission management. For more information, see Policy elements.
- AliyunFCReadOnlyAccess: allows you to read all Function Compute resources.
{ "Version": "1", "Statement": [ { "Action": [ "fc:Get*", "fc:List*" ], "Resource": "*", "Effect": "Allow" } ] }
- AliyunFCInvocationAccess: allows you to invoke all functions.
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource": "*", "Effect": "Allow" } ] }
- AliyunFCFullAccess: allows you to perform operations on all Function Compute resources.
{ "Version": "1", "Statement": [ { "Action": "fc:*", "Resource": "*", "Effect": "Allow" } ] }
- Custom policy: allows you to execute the bar function in the foo service in the China
(Hangzhou) region.
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource": "acs:fc:cn-hangzhou:*:services/foo/functions/bar", "Effect": "Allow" } ] }
- AliyunFCReadOnlyAccess: allows you to read all Function Compute resources.
- RAM custom policies for permissions on Function Compute
Permission management mechanisms
RAM is a resource access control service provided by Alibaba Cloud. Function Compute uses permission management mechanisms based on RAM roles.
- Basic idea of authorization
A policy indicates the capability to access a service. After the policy is bound to a role, this role can access the service. When a third party needs to access this service, it only needs to assume the role that can access the service. For more information about policies and roles, see Terms for RAM.
- Authorization examples
- Authorize Function Compute to access other Alibaba Cloud services
For example, use Function Compute to access Log Service. RAM provides the system policy AliyunLogFullAccess. This policy allows you to have all permissions on Log Service. When you configure permissions for a service, you can bind the service to a new role or an existing role. Then, attach the AliyunLogFullAccess policy to the role, which allows access from Function Compute to Log Service.
- Use event sources to access Function Compute
For example, use OSS event sources to trigger Function Compute code execution. RAM provides the system policy AliyunOSSEventNotificationRole. This policy allows you to trigger execution of Function Compute code by using OSS event sources. When you create a trigger, you can bind the trigger to a new role or an existing role. Then, attach the AliyunOSSEventNotificationRole policy to the role, which allows you to trigger execution of Function Compute code by using OSS event sources.
- Use a RAM user to access Function Compute
For example, grant a RAM user the read permission on all Function Compute resources. Function Compute provides the system policy AliyunFCReadOnlyAccess. After you create a RAM user, you can bind it to a new role or an existing role. Then, attach the AliyunFCReadOnlyAccess policy to the role, which allows the RAM user to read all Function Compute resources.
- Authorize Function Compute to access other Alibaba Cloud services