edit-icon download-icon

Subaccount userguide

Last Updated: Jun 04, 2018

RAM User Console Logon Prerequisites

The following prerequisites should be met when a RAM user is used to login to Function Compute console:

Permissions Required by the RAM User

A RAM policy is required to be attached to the RAM user so it has necessary permissions to access cloud services. You can add, delete, or modify below policy template to grants the RAM user required permissions.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "fc:*",
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. },
  9. {
  10. "Action": [
  11. "ram:PassRole"
  12. ],
  13. "Effect": "Allow",
  14. "Resource": "*"
  15. },
  16. {
  17. "Effect": "Allow",
  18. "Action": [
  19. "log:ListProject",
  20. "log:ListLogStore"
  21. ],
  22. "Resource": "acs:log:*:*:project/*"
  23. },
  24. {
  25. "Effect": "Allow",
  26. "Action": [
  27. "ram:ListRoles"
  28. ],
  29. "Resource": [
  30. "acs:ram:*:*:role/*"
  31. ]
  32. },
  33. {
  34. "Action": [
  35. "oss:ListBucket"
  36. ],
  37. "Effect": "Allow",
  38. "Resource": "*"
  39. },
  40. {
  41. "Action": [
  42. "oss:GetBucketEventNotification",
  43. "oss:PutBucketEventNotification",
  44. "oss:DeleteBucketEventNotification"
  45. ],
  46. "Effect": "Allow",
  47. "Resource": "*"
  48. }
  49. ]
  50. }

If you want to restrict the RAM user to have read-only permissions such as getting functions, invoking functions, below policy template can be attached to your RAM user:

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": "fc:ListService",
  7. "Resource": "acs:fc:cn-shanghai:*:services/*"
  8. },
  9. {
  10. "Effect": "Allow",
  11. "Action": [
  12. "fc:GetFunction"
  13. ],
  14. "Resource": [
  15. "acs:fc:*:*:services/your-helloworld-fc/functions/*",
  16. "acs:fc:*:*:services/your-helloworld-oss/functions/*"
  17. ]
  18. },
  19. {
  20. "Effect": "Allow",
  21. "Action": [
  22. "fc:InvokeFunction"
  23. ],
  24. "Resource": [
  25. "acs:fc:*:*:services/your-helloworld-fc/functions/your-hello-world-fc"
  26. ]
  27. },
  28. {
  29. "Action": [
  30. "ram:PassRole"
  31. ],
  32. "Effect": "Allow",
  33. "Resource": "*"
  34. },
  35. {
  36. "Effect": "Allow",
  37. "Action": [
  38. "log:ListProject",
  39. "log:ListLogStore"
  40. ],
  41. "Resource": "acs:log:*:*:project/*"
  42. },
  43. {
  44. "Effect": "Allow",
  45. "Action": [
  46. "ram:ListRoles"
  47. ],
  48. "Resource": [
  49. "acs:ram:*:*:role/*"
  50. ]
  51. },
  52. {
  53. "Action": [
  54. "oss:ListBucket"
  55. ],
  56. "Effect": "Allow",
  57. "Resource": "*"
  58. },
  59. {
  60. "Action": [
  61. "oss:GetBucketEventNotification",
  62. "oss:PutBucketEventNotification",
  63. "oss:DeleteBucketEventNotification"
  64. ],
  65. "Effect": "Allow",
  66. "Resource": "*"
  67. }
  68. ]
  69. }

Authorize a RAM User to Perform Basic Functionalities

Basic functionalities include creating and deleting services, obtaining service information, creating and deleting functions, updating and obtaining function information, and executing functions. Operations related to logging and triggers are excluded. Below are the fundamental permissions that are needed for logging and triggering. Follow these steps to authorize the RAM user.

  1. Grant the AliyunFCFullAccess permission to the RAM user.

    In Resource Access Management console, select Users > Authorize for the RAM user

ram-user-authorize

  1. Logon to console using the RAM user to perform basic functionalities.

    After the preceding steps are completed, the RAM user can be used to create, delete, describe and update services/functions and invoke functions.

    In Resource Access Management console, select Users, inside the User Details select Web Console Logon Management > Enable Console Logon* (enter and confirm password).

ram-user-web-logon

Configure function logging. Skip this step if you do not want the RAM user to have log related functionalities.

Click Create Function and enter the basic information then execute the code.

  1. How to restrict RAM user permissions, for example, only allowing the RAM user to create services, list services, create functions, and invoke functions?

    Some basic RAM concepts of RAM such as the cloud resource policy are helpful before moving forward.

ram-user-custom-policy

ram-user-edit-user-policy

Create a custom policy to grant services, functions creation, listing and execution. Attach the custom policy to the service role. See the preceding figures for more details. Below sample policy template can be modifed and reused.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": [
  6. "fc:CreateService",
  7. "fc:GetService",
  8. "fc:CreateFunction",
  9. "fc:GetFunction",
  10. "fc:InvokeFunction"
  11. ],
  12. "Resource": "*",
  13. "Effect": "Allow"
  14. }
  15. ]
  16. }

For more information about the action and resource, see Function Compute permission management.

Note: A role can be associated with up to five custom policies. We recommend that you organize multiple custom policies into one to avoid exceeding the policy limit.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": "fc:CreateService",
  7. "Resource": "acs:fc:cn-shanghai:*:services/*"
  8. },
  9. {
  10. "Effect": "Allow",
  11. "Action": [
  12. "fc:CreateFunction"
  13. ],
  14. "Resource": [
  15. "acs:fc:*:*:services/your-helloworld-fc/functions/*",
  16. "acs:fc:*:*:services/your-helloworld-oss/functions/*"
  17. ]
  18. },
  19. {
  20. "Effect": "Allow",
  21. "Action": [
  22. "fc:UpdateFunction"
  23. ],
  24. "Resource": [
  25. "acs:fc:*:*:services/your-helloworld-fc/functions/your-hello-world-fc"
  26. ]
  27. }
  28. ]
  29. }

See Permission definition for detailed permission granularity control.

Logging and Other Advanced Settings

Advanced settings are used to manage function logging and grant the permission of accessing other cloud services with service roles. PassRole permission is also required in addition to UpdateService permission. To create roles in advanced settings, you must have the create role permission. The following shows a policy for setting the PassRole permission.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "ram:PassRole"
  6. ],
  7. "Effect": "Allow",
  8. "Resource": "*"
  9. }
  10. ],
  11. "Version": "1"
  12. }

ram-user-pass-role

Log service project, logstore, and current role must be provided. It is recommended to add “list project”, “list logstore” and “list role” to prevent manual errors. See Log Service permission management and RAM permission management for more details.

ram-user-log-config

The following is a template to help creating a policy to be attached to the RAM user.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "log:ListProject",
  8. "log:ListLogStore"
  9. ],
  10. "Resource": "acs:log:*:*:project/*"
  11. },
  12. {
  13. "Effect": "Allow",
  14. "Action": [
  15. "ram:ListRoles"
  16. ],
  17. "Resource": [
  18. "acs:ram:*:*:role/*"
  19. ]
  20. }
  21. ]
  22. }

Set Permissions for RAM User for Trigger Functionalities

If you have attached PassRole and create trigger permissions, you can create a trigger. Only text boxes are provided if the RAM user does not have list bucket or list role permission. To use the drop-down selection list, you can use the following template to create a policy and attach it to the RAM user. See OSS permission management for more information.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "oss:ListBucket"
  6. ],
  7. "Effect": "Allow",
  8. "Resource": "*"
  9. }
  10. ],
  11. "Version": "1"
  12. }

Each role can be attach up to five custom policy templates. We recommend that you edit the statement to existing policy template to reduce the number of policies.

Note: If you successfully create a trigger but it is not displayed, you still need three permissions. The following is a template that can be used to create a policy and attach it with the RAM user.

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "oss:GetBucketEventNotification",
  6. "oss:PutBucketEventNotification",
  7. "oss:DeleteBucketEventNotification"
  8. ],
  9. "Effect": "Allow",
  10. "Resource": "*"
  11. }
  12. ],
  13. "Version": "1"
  14. }

After completing previous steps, you have the required permissions to use console with the RAM user. Make sure you only select necessary permissions.

Thank you! We've received your feedback.