This topic describes the scenarios, types, and management mechanisms of permissions in Function Compute.

Scenarios

When you use Function Compute to build an application, you may require various permissions, as shown in the following examples:

  • To use Alibaba Cloud Log Service to collect function execution logs, you must authorize Function Compute to write function execution logs to the specified Logstore.
  • To use an Alibaba Cloud Object Storage Service (OSS) trigger, you must authorize OSS to invoke functions.
  • When functions need to be managed by different personnel, different personnel must be granted different permissions to access resources such as OSS data under an Alibaba Cloud account. You can create Resource Access Management (RAM) roles and grant different personnel the permissions to access Alibaba Cloud resources by using the RAM roles.

Permission types

To access an Alibaba Cloud service, you must have the access permission on this service. You may require the following permissions related to Function Compute:

  • To access other Alibaba Cloud services, Function Compute must be granted with corresponding permissions.
    Such a permission is granted to a corresponding service. After a permission is granted to a service, all functions of the service have the permission. The following sample code shows how to use context.credentials to access other Alibaba Cloud services:
    // Uses the context parameter to access OSS.
    var OSSClient = require('ali-oss').Wrapper;
    exports.handler = function (event, context, callback) {
        console.log(event.toString());
    
        var ossClient = new OSSClient({
            accessKeyId: context.credentials.accessKeyId,
            accessKeySecret: context.credentials.accessKeySecret,
            stsToken: context.credentials.securityToken,
            region: 'oss-cn-shanghai',
            bucket: 'my-bucket',
        });
    
        ossClient.put('my-object', new Buffer('hello, fc')).then(function (res) {
            callback(null, 'put object');
        }).catch(function (err) {
            callback(err);
        });
    };

    For more information about how to configure service permissions, see Configure service permissions.

  • To trigger function execution by using an event source, you must authorize the event source to access Function Compute.

    Such a permission is granted to the corresponding trigger. You must set permissions for each trigger based on your requirements.

    You can configure permissions for a trigger when you create the trigger. For more information, see the following topics:
  • To allow a RAM user to access Function Compute resources, you must grant the corresponding permission to the RAM user.

    This permission is only granted to RAM users. RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and grant diverse permissions to a single identity or a group of identities. In this way, you can authorize different identities to access different Alibaba Cloud resources. For more information, see What is RAM You can grant permissions to RAM users by using your Alibaba Cloud account, which allows RAM users to perform operations on Function Compute resources.

    For more information about how to set permissions for a RAM user, see Grant permissions to a RAM user.

    The following tables list the operation permissions, resource access permissions, and system permissions on Function Compute, which can be granted to RAM users.
    • RAM custom policies for permissions on Function Compute
      Resource Action Description
      acs:fc:<region>:<account-id>:services/<serviceName> fc:GetService The resources of a specified service.
      fc:UpdateService
      fc:DeleteService
      acs:fc:<region>:<account-id>:services/* fc:CreateService All service resources.
      fc:ListServices
      acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier> fc:GetService The service resources of a specified version.
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName> fc:GetFunction The specified function resources in a specified service.
      fc:UpdateFunction
      fc:DeleteFunction
      fc:InvokeFunction
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/* fc:CreateFunction All function resources in a specified service.
      fc:ListFunctions
      acs:fc:<region>:<account-id>:services/<serviceName>.*/functions/<functionName> fc:GetFunction All function resources of all versions for a specified service.
      fc:UpdateFunction
      fc:DeleteFunction
      fc:InvokeFunction
      fc:PutProvisionConfig
      fc:GetProvisionConfig
      fc:PutFunctionOnDemandConfig
      fc:DeleteFunctionOnDemandConfig
      fc:GetFunctionOnDemandConfig
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/<triggerName> fc:GetTrigger The specified trigger resource of a specified function in a specified service.
      fc:UpdateTrigger
      fc:DeleteTrigger
      acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/* fc:CreateTrigger All trigger resources of the specified function in a specified service.
      fc:ListTriggers
      acs:fc:<region>:<account-id>:services/<serviceName>/versions fc:PublishServiceVersion All versions.
      fc:ListServiceVersions
      acs:fc:<region>:<account-id>:services/<serviceName>/versions/<versionID> fc:DeleteServiceVersion Specified versions.
      acs:fc:<region>:<account-id>:services/<serviceName>/aliases/* fc:CreateAlias All aliases.
      fc:ListAliases
      acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName> fc:GetAlias Specified aliases.
      fc:UpdateAlias
      fc:DeleteAlias
      acs:fc:<region>:<account-id>:custom-domains/* fc:CreateCustomDomain All custom domains.
      fc:ListCustomDomains
      acs:fc:<region>:<account-id>:custom-domains/<domainName> fc:GetCustomDomain Specified custom domains.
      fc:UpdateCustomDomain
      fc:DeleteCustomDomain
      acs:fc:<region>:<account-id>:tag fc:TagResource A single tag.
      fc:GetResourceTags
      fc:UnTagResource
      acs:fc:<region>:<account-id>:tags/* fc:ListTaggedResources All tags.
    • System policies that can be attached to RAM users in Function Compute

      By default, Function Compute provides three system policies: AliyunFCReadOnlyAccess, AliyunFCInvocationAccess, and AliyunFCFullAccess. You can create custom policies for finer-grained permission management. For more information, see Policy elements.

      • AliyunFCReadOnlyAccess: allows you to read all Function Compute resources.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "fc:Get*",
                        "fc:List*"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • AliyunFCInvocationAccess: allows you to invoke all functions.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "fc:InvokeFunction"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • AliyunFCFullAccess: allows you to perform operations on all Function Compute resources.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "fc:*",
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Custom policy: allows you to execute the bar function in the foo service in the China (Hangzhou) region.
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "fc:InvokeFunction"
                    ],
                    "Resource": "acs:fc:cn-hangzhou:*:services/foo/functions/bar",
                    "Effect": "Allow"
                }
            ]
        }

Permission management mechanisms

RAM is a resource access control service provided by Alibaba Cloud. Function Compute uses permission management mechanisms based on RAM roles.

  • Basic idea of authorization

    A policy indicates the capability to access a service. After the policy is bound to a role, this role can access the service. When a third party needs to access this service, it only needs to assume the role that can access the service. For more information about policies and roles, see Terms for RAM.

  • Authorization examples
    • Authorize Function Compute to access other Alibaba Cloud services
      For example, use Function Compute to access Log Service. RAM provides the system policy AliyunLogFullAccess. This policy allows you to have all permissions on Log Service. When you configure permissions for a service, you can bind the service to a new role or an existing role. Then, attach the AliyunLogFullAccess policy to the role, which allows access from Function Compute to Log Service.Server role
    • Use event sources to access Function Compute
      For example, use OSS event sources to trigger Function Compute code execution. RAM provides the system policy AliyunOSSEventNotificationRole. This policy allows you to trigger execution of Function Compute code by using OSS event sources. When you create a trigger, you can bind the trigger to a new role or an existing role. Then, attach the AliyunOSSEventNotificationRole policy to the role, which allows you to trigger execution of Function Compute code by using OSS event sources.trigger-authorize
    • Use a RAM user to access Function Compute

      For example, grant a RAM user the read permission on all Function Compute resources. Function Compute provides the system policy AliyunFCReadOnlyAccess. After you create a RAM user, you can bind it to a new role or an existing role. Then, attach the AliyunFCReadOnlyAccess policy to the role, which allows the RAM user to read all Function Compute resources.