If Function Compute needs to access other Alibaba Cloud services, such as Object Storage Service (OSS), Log Service, and Tablestore, you must grant the required permissions to Function Compute. The required permissions are granted to a service in Function Compute. After a service is granted specific permissions, all functions in the service have the permissions. This topic describes how to grant Function Compute permissions to access OSS.

Prerequisites

Create a Service

Default RAM role

When a function is executed, Function Compute needs to access other Alibaba Cloud resources. For example, Function Compute needs to write function logs to the specified Logstore in Log Service, pull images from Container Registry, or connect to virtual private clouds (VPCs) for access. To simplify authorization, Function Compute provides the default RAM role AliyunFCDefaultRole. The permissions of this role include the permissions on some Alibaba Cloud resources that Function Compute needs to access. For more information about how to assign this role, see Activate Function Compute. The following policy is attached to this role:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cr:GetRepository",
        "cr:GetRepositoryTag",
        "cr:GetAuthorizationToken",
        "cr:PullRepository"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "fc:InvokeFunction",
        "mns:SendMessage",
        "mns:PublishMessage",
        "eventbridge:PutEvents",
        "mq:PUB",
        "mq:OnsInstanceBaseInfo"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

The permissions of the AliyunFCDefaultRole role are coarse-grained. You can also assign other RAM roles to services in Function Compute and attach related policies to the RAM roles to grant fine-grained permissions.

For example, you want all functions in a service in Function Compute to have the permissions to manage OSS, but the AliyunFCDefaultRole role does not have the permissions. In this case, you must assign a RAM role to the service and attach the policy that is used to grant the permissions to manage OSS to the RAM role when you configure permissions for the service. Then, all functions in the service have the permissions to manage OSS. For more information, see Procedure.
Notice The AliyunFCDefaultRole role is assigned to all services. If you want to attach other policies after the AliyunFCDefaultRole role is assigned, we recommend that you create a RAM role and attach the policies to the RAM role rather than attaching the policies to the AliyunFCDefaultRole role.

Procedure

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, click Services and Functions.
  3. In the top navigation bar, select the region where your Kubernetes cluster is deployed.
  4. On the Services page, find the target service. In the Actions column, click Configure.
  5. In the Role Settings section on the Modify Service Page, configure the parameters and click Save.
    • Create a RAM role
      1. Click Create Role to go to the Roles page.
      2. On the Roles page, click Create Role to create a RAM role for a trusted Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
        Note In this example, select Function Compute from the Select Trusted Service drop-down list.
      3. Attach a policy to the RAM role. You can create a new policy or use an existing policy. For more information, see Create a custom policy and Grant permissions to a RAM role.
    • Use an existing RAM role

      In the Role Settings section, select the RAM role that you want to assign from the Server Role drop-down list.

      Note If you select a role that does not have the permissions to manage OSS, you must grant the permissions to the role. For more information, see Grant permissions to a RAM role.