本文介绍使用FC组件的纯命令行模式所需的权限信息。

deploy指令

deploy指令所涉及的权限,请参见以下内容:

remove指令

请按需选择对应的权限策略:

  • 系统策略:AliyunFCFullAccess
  • 自定义策略:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:ListOnDemandConfigs",
                    "fc:DeleteFunctionOnDemandConfig",
                    "fc:ListProvisionConfigs",
                    "fc:PutProvisionConfig",
                    "fc:ListAliases",
                    "fc:DeleteAlias",
                    "fc:ListServiceVersions",
                    "fc:DeleteServiceVersion",
                    "fc:ListTriggers",
                    "fc:DeleteTrigger",
                    "fc:ListFunctions",
                    "fc:DeleteFunction",
                    "fc:DeleteService"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteTrigger",
                    "fc:DeleteFunction",
                    "fc:DeleteService"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:ListTriggers",
                    "fc:DeleteTrigger",
                    "fc:DeleteFunction"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]   
    }
    
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteTrigger"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteAlias",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>"
              }
          ]
      }
      
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteServiceVersion",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions/<version-id>"
              }
          ]
      }
      
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:PutProvisionConfig",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
              }
          ]
      }
      
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteFunctionOnDemandConfig",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
              }
          ]
      }
      
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:DeleteLayerVersion",
                  "Effect": "Allow",
                  "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
              }
          ]
      }
      

info和sync指令

infosync指令所涉及的权限为系统策略:AliyunFCReadOnlyAccess

build和local指令

buildlocal指令所涉及的是本地相关操作,无需云上资源权限。

invoke指令

请按需选择对应的权限策略:

  • 最大权限(系统策略):AliyunFCInvocationAccessAliyunFCFullAccess
  • 最小权限(自定义权限):
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:InvokeFunction",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/<functionName>"
            }
        ]
    }

logs指令

请按需选择对应的权限策略:

  • 最大权限(系统策略):AliyunFCReadOnlyAccessAliyunLogReadOnlyAccess
  • 最小权限(自定义权限):
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
                "Effect": "Allow"
            },                
            {
                "Action": "log:GetLogStoreLogs",
                "Effect": "Allow",
                "Resource": "acs:log:<region>:<account-id>:project/<project>/logstore/<logstore>"
            }
        ]
    }

metrics指令

metrics指令需以下系统策略:

  • AliyunLogFullAccess
  • AliyunCloudMonitorReadOnlyAccess
  • AliyunFCReadOnlyAccess

nas指令

nas指令相关的权限,请参见服务相关权限配置的涉及NAS配置部分权限信息。

layer指令

请按需选择对应的权限策略:

  • listversionsversionConfig指令的权限:AliyunFCReadOnlyAccess
  • publish指令的权限:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateLayerVersion",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
            }
        ]
    }

version指令

请按需选择对应的权限策略:

  • list指令的权限:AliyunFCReadOnlyAccess
  • publish指令的权限:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:PublishServiceVersion",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions"
            }
        ]
    }

alias指令

请按需选择对应的权限策略:

  • list指令的权限:AliyunFCReadOnlyAccess
  • publish指令的权限:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                  "fc:CreateAlias",
                  "fc:UpdateAlias"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*"
            }
        ]
    }

provision指令

请按需选择对应的权限策略:

  • listget指令的权限:AliyunFCReadOnlyAccess
  • put指令的权限:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:PutProvisionConfig",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
            }
        ]
    }

onDemand指令

请按需选择对应的权限策略:

  • listget指令的权限:AliyunFCReadOnlyAccess
  • put指令的权限:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:PutFunctionOnDemandConfig",
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
            }
        ]
    }