Use tags and RAM custom policies to implement attribute-based access control (ABAC) on Function Compute functions. With ABAC, you attach a tag to each function and write policies that restrict access based on tag values. Because each policy targets tags rather than individual function ARNs, you don't need to update policies when you add new functions — tag the new function and it's automatically covered.
Example scenario: You have 10 functions. The dev team manages five of them, and the ops team manages the other five. You tag each set with team:dev or team:ops, then create separate policies so each team can only act on functions bearing their tag.
Prerequisites
Before you begin, ensure that you have:
10 functions created in the Function Compute console
Tag key
team, valuedevapplied to five functionsTag key
team, valueopsapplied to the other five functions — see Manage tags
Do not attach broad system policies such as AliyunFCFullAccess or AliyunFCReadOnlyAccess to these RAM users. These policies grant access to all functions regardless of tags, which overrides the tag-based restrictions you set up here.
If any of your functions were created in the Function Compute 2.0 console, the tag is applied to the service the function belongs to, not the function itself. Functions created in FC 2.0 appear with a trailing dollar sign ($) in the FC 3.0 console. See Tag management for details.
Set up tag-based access control
Step 1: Create two RAM users
Create two RAM users within your Alibaba Cloud account — one for each team. See Create a RAM user.
Step 2: Create the dev and ops user groups
Create two RAM user groups named dev and ops. See Create a RAM user group.
Step 3: Add users to their groups
Add each RAM user to its corresponding group. See Add a RAM user to a RAM user group.
Step 4: Create and attach custom policies
Create policyForDevTeam
Create a custom policy named policyForDevTeam with the following JSON:
{
"Statement": [
{
"Action": "fc:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"fc:tag/team": "dev"
}
}
},
{
"Action": "fc:ListFunctions",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "fc:ListTagResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}The first statement allows all fc:* actions, but only on functions that have the team:dev tag. The ListFunctions and ListTagResources statements have no tag condition intentionally — the console must list all functions before it can filter by tag. Without these unrestricted list permissions, the console would appear empty.
Create policyForOpsTeam
Create a second custom policy named policyForOpsTeam:
{
"Statement": [
{
"Action": "fc:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"fc:tag/team": "ops"
}
}
},
{
"Action": "fc:ListFunctions",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "fc:ListTagResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Attach the policies
Attach policyForDevTeam to the dev user group and policyForOpsTeam to the ops user group. See Grant permissions to a RAM user group.
Verify the result
Log on to the Function Compute console as a RAM user in each group. See Log on to the Alibaba Cloud Management Console as a RAM user.
Use the following table to confirm the setup is working correctly:
| Action | RAM user in dev group | RAM user in ops group |
|---|---|---|
View and manage functions tagged team:dev | Allowed | Denied |
View and manage functions tagged team:ops | Denied | Allowed |
| List all functions in the console | Allowed (read-only list) | Allowed (read-only list) |
If a RAM user in the dev group tries to invoke or modify a function tagged team:ops, the request is rejected with an access denied error. This confirms the tag-based restrictions are working.
What's next
To add a new function to either team's scope, tag it with the appropriate
teamvalue. No policy changes are needed.To manage tags on your functions, see Manage tags.