本文介绍使用FC组件非YAML模式所需的权限信息。

deploy指令

deploy指令所涉及的权限,请参见以下内容:

remove指令

请按需选择对应的权限策略:

  • 系统策略:AliyunFCFullAccess
  • 自定义策略: 
    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:ListOnDemandConfigs",
                "fc:DeleteFunctionOnDemandConfig",
                "fc:ListProvisionConfigs",
                "fc:PutProvisionConfig",
                "fc:ListAliases",
                "fc:DeleteAlias",
                "fc:ListServiceVersions",
                "fc:DeleteServiceVersion",
                "fc:ListTriggers",
                "fc:DeleteTrigger",
                "fc:ListFunctions",
                "fc:DeleteFunction",
                "fc:DeleteService"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:DeleteTrigger",
                "fc:DeleteFunction",
                "fc:DeleteService"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:ListTriggers",
                "fc:DeleteTrigger",
                "fc:DeleteFunction"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]   
}

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteAlias",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>"
        }
    ]
}
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteServiceVersion",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions/<version-id>"
        }
    ]
}
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:PutProvisionConfig",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
        }
    ]
}
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteFunctionOnDemandConfig",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
        }
    ]
}
    • 系统策略:AliyunFCReadOnlyAccess
    • 自定义策略: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteLayerVersion",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
        }
    ]
}

info和sync指令

infosync指令所涉及的权限为系统策略:AliyunFCReadOnlyAccess

build和local指令

buildlocal指令所涉及的是本地相关操作,无需云上资源权限。

invoke指令

请按需选择对应的权限策略:

  • 最大权限(系统策略):AliyunFCInvocationAccessAliyunFCFullAccess
  • 最小权限(自定义权限):
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:InvokeFunction",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/<functionName>"
        }
    ]
}

logs指令

请按需选择对应的权限策略:

  • 最大权限(系统策略):AliyunFCReadOnlyAccessAliyunLogReadOnlyAccess
  • 最小权限(自定义权限):
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        },                
        {
            "Action": "log:GetLogStoreLogs",
            "Effect": "Allow",
            "Resource": "acs:log:<region>:<account-id>:project/<project>/logstore/<logstore>"
        }
    ]
}

metrics指令

metrics指令需以下系统策略:

  • AliyunLogFullAccess
  • AliyunCloudMonitorReadOnlyAccess
  • AliyunFCReadOnlyAccess

nas指令

nas指令相关的权限,请参见服务相关权限配置的涉及NAS配置部分权限信息。

layer指令

请按需选择对应的权限策略:

  • listversionsversionConfig指令的权限:AliyunFCReadOnlyAccess
  • publish指令的权限:
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateLayerVersion",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
        }
    ]
}

version指令

请按需选择对应的权限策略:

  • list指令的权限:AliyunFCReadOnlyAccess
  • publish指令的权限:
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:PublishServiceVersion",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions"
        }
    ]
}

alias指令

请按需选择对应的权限策略:

  • list指令的权限:AliyunFCReadOnlyAccess
  • publish指令的权限:
    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "fc:CreateAlias",
              "fc:UpdateAlias"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*"
        }
    ]
}

provision指令

请按需选择对应的权限策略:

  • listget指令的权限:AliyunFCReadOnlyAccess
  • put指令的权限:
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:PutProvisionConfig",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
        }
    ]
}

onDemand指令

请按需选择对应的权限策略:

  • listget指令的权限:AliyunFCReadOnlyAccess
  • put指令的权限:
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:PutFunctionOnDemandConfig",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
        }
    ]
}