YAML相关权限配置 -

本文介绍使用FC组件的YAML模式所需的权限信息。

服务相关权限配置

基础配置

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess

部署最小权限（自定义策略）

说明 fc:GetService的权限为可选。

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}

删除最小权限（自定义权限）

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}

涉及日志服务配置

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # role已配置，配置内容请参见下文的服务角色权限。
    # logConfig: auto
    logConfig:
        project: XXX
        logstore: XXX

说明 logConfig为auto时，project名字生成规则{accountID}-{region}-logproject；logstore名字生成规则'fc-service-{serviceName}-logstore'.toLocaleLowerCase()。

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunLogFullAccess

最小权限（自定义策略）

当logConfig不为auto

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

当logConfig为auto

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "log:GetProject",
                "log:CreateProject"
            ],
            "Resource": "acs:log:<region>:<accountId>:project/<projectName>",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateLogStore",
                "log:GetIndex",
                "log:GetLogStore",
                "log:CreateIndex"
            ],
            "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
            "Effect": "Allow"
        }
    ]
}

服务角色权限

最大权限（系统策略）
AliyunLogFullAccess

最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
            "Action": "log:PostLogStoreLogs",
            "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
            "Effect": "Allow"
        }
    ]
}

涉及VPC配置

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # role已配置，配置内容请参见下文的服务角色权限。
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunVPCFullAccess和AliyunECSFullAccess

最小权限（自定义策略）

当vpcConfig不为auto

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        }，
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

当vpcConfig为auto

系统策略
AliyunVPCReadOnlyAccess

自定义策略

{
    "Version": "1"，
    "Statement": [
       {
           "Action": "fc:CreateService",
           "Resource": "acs:fc:<region>:<accountId>:services/*",
           "Effect": "Allow"
       },
       {
           "Action": "fc:UpdateService",
           "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
           "Effect": "Allow"
       },
       {
           "Action": "fc:GetService",
           "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
           "Effect": "Allow"
       },
           {
           "Action": "ram:PassRole",
           "Effect": "Allow",
           "Resource": "*"
       },
       {
           "Action": "fc:GetAccountSettings",
           "Effect": "Allow",
           "Resource": "acs:fc:<region>:<accountId>:account-settings"
       },
       {
           "Action": [
               "vpc:CreateVpc",
               "vpc:CreateVSwitch",
               "ecs:AuthorizeSecurityGroup",
               "ecs:DescribeSecurityGroups",
               "ecs:CreateSecurityGroup"
           ],
           "Effect": "Allow",
           "Resource": "*"
       }
    ]
}

服务角色权限

系统策略
AliyunECSNetworkInterfaceManagementAccess

涉及NAS配置

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # role已配置，配置内容请参见下文的服务角色权限。
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
    # nasConfig: auto
    nasConfig:
      userId: 10xxx
      groupId: 10xxx
      mountPoints:
        - serverAddr: xxx-xxx.<region>.nas.aliyuncs.com
          nasDir: /unit-deploy-service

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunVPCFullAccess和AliyunNASFullAccess

最小权限（自定义策略）

当nasConfig不为auto

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

当nasConfig为auto

系统策略
AliyunNASReadOnlyAccess

自定义策略

{
    "Version": "1"，
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetAccountSettings",
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:account-settings"
        },
        {
            "Action": [
                "fc:UpdateService",
                "fc:CreateService"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*"
        },
        {
            "Action": [
                "fc:InvokeFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
        },
        {
            "Action": [
              "fc:UpdateTrigger",
              "fc:CreateTrigger"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
        },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "nas:CreateMountTarget",
                "nas:DescribeMountTargets",
                "nas:DescribeFileSystems",
                "nas:CreateFileSystem",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

服务角色权限

最大权限（系统策略）
AliyunECSNetworkInterfaceManagementAccess

涉及链路追踪配置

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    tracingConfig: Enable

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess和AliyunTracingAnalysisReadOnlyAccess

最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        }，
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

涉及RAM操作

role:
  name: unit-fc
  policies:
    - AliyunContainerRegistryReadOnlyAccess
    - name: unit-test-123
      description: test
      statement:
        Action: ram:PassRole
        Effect: Allow
        Resource: '*'

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess和AliyunRAMFullAccess

最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
          "Action": [
            "ram:PassRole",
            "ram:GetRole",
            "ram:CreateRole",
            "ram:ListPoliciesForRole",
            "ram:AttachPolicyToRole",
            "ram:GetPolicy",
            "ram:CreatePolicy",
            "ram:ListPolicyVersions",
            "ram:CreatePolicyVersion",
            "ram:DeletePolicyVersion"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<accountId>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}

函数相关权限配置

基础配置

function:
    name: event-function
    description: this is a test
    runtime: nodejs12
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess

部署最小权限（自定义策略）

说明 fc:GetFunction的权限为可选。

{
    "Version": "1"，
    "Statement": [
        {
            "Action": [
                "fc:GetFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
        }
    ]
}

删除最小权限（自定义权限）

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteFunction",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
            "Effect": "Allow"
        }
    ]
}

运行时为Custom Container

function:
    name: event-function
    description: this is a test
    runtime: custom-container
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
    customContainerConfig:
          image: xxx
          command: xxx
          args: xxx

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess

部署最小权限（自定义策略）

{
    "Version": "1"，
    "Statement": [
        {
            "Action": [
                "fc:GetFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
        }
    ]
}

删除最小权限（自定义权限）

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteFunction",
            "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
            "Effect": "Allow"
        }
    ]
}

服务角色权限

系统策略：
AliyunContainerRegistryReadOnlyAccess

涉及异步调用配置

asyncConfiguration:
		 destination:
			 onSuccess: acs:fc:::services/ServerlessTool.LATEST/functions/serverless_demo_nodejs8_http
			 onFailure: acs:fc:::services/Puppeteer/functions/HtmlToPng
		 maxAsyncEventAgeInSeconds: 456
		 maxAsyncRetryAttempts: 3
		 statefulInvocation: false

RAM用户（子账号）需要的权限

最大权限（系统策略）
- AliyunFCFullAccess
- AliyunMNSReadOnlyAccess：查看消息服务MNS的权限。
- AliyunEventBridgeReadOnlyAccess：查看事件总线EventBridge的权限。
- AliyunMQReadOnlyAccess：消息队列RocketMQ版的查看权限。
- AliyunFCInvocationAccess：函数调用的权限。

最小权限（自定义策略）

说明 fc:GetFunctionAsyncInvokeConfig的权限为可选。

系统策略
- AliyunMNSReadOnlyAccess：如果异步调用目标服务为消息服务MNS，则需配置此权限。
- AliyunEventBridgeReadOnlyAccess：如果异步调用目标服务为事件总线EventBridge，则需配置此权限。
- AliyunMQReadOnlyAccess：如果异步调用目标服务为消息队列RocketMQ版，则需配置此权限。

自定义策略

{
                "Version": "1",
                "Statement": [
                    {
                        "Action": "fc:*Service",
                        "Resource": "*",
                        "Effect": "Allow"
                    },
                    {
                        "Action": [
                            "fc:GetFunction",
                            "fc:CreateFunction",
                            "fc:UpdateFunction"
                        ],
                        "Effect": "Allow",
                        "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
                    },
                    {
                        "Action": [
                            "fc:InvokeFunction",
                            "fc:GetFunctionAsyncInvokeConfig",
                            "fc:DeleteFunctionAsyncInvokeConfig",
                            "fc:PutFunctionAsyncInvokeConfig"
                        ],
                        "Effect": "Allow",
                        "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>.*/functions/*"
                    },
                    {
                        "Action": "ram:PassRole",
                        "Effect": "Allow",
                        "Resource": "*"
                    }
                ]
            }

触发器相关权限配置

涉及HTTP触发器权限配置

triggers:
  - name: httpTrigger
     type: http
     #qualifier: LATEST
     config: 
     authType: anonymous
        methods:
          - GET

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
              "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>"
          }
    ]
}

涉及OSS触发器权限配置

triggers:
  - name: oss
    sourceArn: acs:oss:acs:log:<region>:<accountId>:<buckctName> 
    type: oss
    role: acs:ram::<accountId>:role⁄aliyunosseventnotificationrole
    #qualifier: LATEST
    config:
     events:
      - oss:ObjectCreated:*
     filter:
      key:
        prefix: xxx
        suffix: xxx

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunOSSFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
          },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "oss:ListBucket",
                "oss:GetBucketEventNotification",
                "oss:PutBucketEventNotification",
                "oss:DeleteBucketEventNotification"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

OSS触发器角色需要的权限

{
    "Version": "1",
    "Statement": [
        {
            "Action":[
              "fc:InvokeFunction"
            ],
            "Resource":"*",
            "Effect": "Allow"
        }
    ]
}

涉及CDN触发器权限配置

triggers:
  - name: cdn
    sourceArn: acs:cdn:*:<accountId>
    type: cdn_events
    role: <roleArn>
    #qualifier: LATEST
    config:
      eventName: CachedObjectsBlocked
      eventVersion: 1.0.0
      notes: xxx
      filter:
        domain: example.com

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunCDNFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
          },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cdn:UpdateFCTrigger",
                "cdn:DeleteFCTrigger",
                "cdn:DescribeFCTrigger",
                "cdn:AddFCTrigger"
            ],            
            "Resource": "*"
        }
    ]
}

CDN触发器角色需要的权限

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
            "fc:InvokeFunction"
            ],
            "Resource":"*",
            "Effect": "Allow"
        }
    ]
}

涉及Log触发器权限配置

triggers:
  - name: log
    sourceArn: acs:log:<region>:<accountId>:project/<projectName>
    type: log
    role: acs:ram::<accountId>:role/aliyunlogetlrole
    #qualifier: LATEST
    config:
        sourceConfig:
          logstore: log
        jobConfig:
          maxRetryTime: 3
          triggerInterval: 60
        functionParameter:
          #key: value
        logConfig:
          project: xxx
          logstore: xxx
        enable: false

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunLogFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
              "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
          },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:GetEtlJob",
                "log:UpdateEtlJob",
                "log:CreateEtlJob",
                "log:DeleteEtlJob"
            ],            
            "Resource": "*"
        }
    ]
}

Log触发器角色需要的权限

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
               "fc:InvokeFunction"
            ],
            "Resource":"*",
            "Effect": "Allow"
        },
        {
             "Action":[
                "log:Get*",
                "log:List*",
                "log:PostProjectQuery",
                "log:PutProjectQuery",
                "log:DeleteProjectQuery",
                "log:GetProjectQuery",
                "log:PostLogStoreLogs",
                "log:BatchPostLogStoreLogs",
                "log:CreateConsumerGroup",
                "log:UpdateConsumerGroup",
                "log:DeleteConsumerGroup",
                "log:ListConsumerGroup",
                "log:ConsumerGroupUpdateCheckPoint",
                "log:ConsumerGroupHeartBeat",
                "log:GetConsumerGroupCheckPoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
            ]
         }
    ]
}

涉及Tablestore触发器权限配置

triggers:
  - name: ots
    sourceArn: acs:ots:<region>:<accountId>:instance/<instance>/table/<table>
    type: tablestore
    role:  acr:ram::<accountId>:role/AliyunTableStoreStreamNotificationRole
    #qualifier: LATEST
    config: 
       instanceName: xxx
       tableName: xxx

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunOTSFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
              "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
          },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ots:GetTrigger",
                "ots:UpdateTrigger",
                "ots:CreateTrigger",
                "ots:DeleteTrigger"
            ],            
            "Resource": "*"
        }
    ]
}

Tablestore触发器角色需要的权限

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
               "ots:BatchGet*",
              "ots:Describe*",						
              "ots:Get*",
              "ots:List*"
           ],
            "Resource":"*",
            "Effect": "Allow"
        },
        {
             "Action":[
                "fc:InvokeFunction"
            ],
            "Resource": "*",
            "Effect": "Allow"
            ]
         }
    ]
}

涉及MNS触发器权限配置

triggers:
  - name: mns
    sourceArn: acs:mns:<region>:<accountId>:instance/<instance>/table/<table>
    type: mns_topic
    role: acs:ram::<accountId>:role/aliyunmnsnotificationrole
    #qualifier: LATEST
    config: 
        filterTag: xxx
        notifyContentFormat: STREAM
        notifyStrategy: BACKOFF_RETRY

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess、AliyunMNSFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
              "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
          },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "mns:Subscribe",
                "mns:Unsubscribe"
           ],            
            "Resource": "*"
        }
    ]
}

MNS触发器角色需要的权限

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
               "fc:InvokeFunction" 
           ],
            "Resource":"*",
            "Effect": "Allow"
        }
     ]
}

涉及Timer触发器权限配置

triggers:
  - name: timer
    type: timer
    #qualifier: LATEST
    config: 
      payload: '{"s": "ss"}'
      cronExpression: '@every 100m'
      enable: false

RAM用户（子账号）需要的权限

最大权限（系统策略）
AliyunFCFullAccess

操作最小权限（自定义策略）

{
    "Version": "1",
    "Statement": [
        {
              "Action": [
                "fc:GetTrigger",
                "fc:CreateTrigger",
                "fc:UpdateTrigger",
                "fc:DeleteTrigger"
            ],
            "Effect": "Allow",
            "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>"
          }
    ]
}

自定义域名相关权限配置

基础配置

customDomains:
    - domainName: auto
      protocol: HTTP
      routeConfigs:
        - path: /*
          serviceName: unit-deploy-service
          functionName: event-function

RAM用户（子账号）需要的函数权限

最大权限（系统策略）
AliyunFCFullAccess

最小权限（自定义策略）

说明自定义域名会涉及到较多服务和函数权限，原因在于domainName为auto，需要创建HTTP函数作为一个辅助函数，使用完后该函数将被删除。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:DeleteService",
                "fc:UpdateService",
                "fc:CreateService"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*"
        },
        {
            "Action": [
                "fc:DeleteFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
        },
        {
            "Action": [
              "fc:DeleteTrigger",
              "fc:UpdateTrigger",
              "fc:CreateTrigger"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
        },
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "fc:GetCustomDomain",
                "fc:UpdateCustomDomain",
                "fc:CreateCustomDomain"
            ],
            "Resource": "acs:fc:<region>:<accountId>:custom-domains/*",
            "Effect": "Allow"
        }
    ]
}