本文介绍使用FC组件的YAML模式所需的权限信息。
服务相关权限配置
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true
- 最大权限(系统策略)
AliyunFCFullAccess
- 部署最小权限(自定义策略)
说明
fc:GetService
的权限为可选。{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" } ] }
-
删除最小权限(自定义权限)
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" } ] }
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true role: <role-arn> # role已配置,配置内容请参见下文的服务角色权限。 # logConfig: auto logConfig: project: XXX logstore: XXX
{accountID}-{region}-logproject
;logstore名字生成规则'fc-service-{serviceName}-logstore'.toLocaleLowerCase()
。
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunLogFullAccess
- 最小权限(自定义策略)
- 当logConfig不为auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- 当logConfig为auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "log:GetProject", "log:CreateProject" ], "Resource": "acs:log:<region>:<accountId>:project/<projectName>", "Effect": "Allow" }, { "Action": [ "log:CreateLogStore", "log:GetIndex", "log:GetLogStore", "log:CreateIndex" ], "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>", "Effect": "Allow" } ] }
服务角色权限
- 当logConfig不为auto
- 最大权限(系统策略)
AliyunLogFullAccess
- 最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": "log:PostLogStoreLogs", "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>", "Effect": "Allow" } ] }
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true role: <role-arn> # role已配置,配置内容请参见下文的服务角色权限。 # vpcConfig: auto vpcConfig: vpcId: xxx securityGroupId: xxx vswitchIds: - vsw-xxx
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunVPCFullAccess
和AliyunECSFullAccess
- 最小权限(自定义策略)
- 当vpcConfig不为auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- 当vpcConfig为auto
- 系统策略
AliyunVPCReadOnlyAccess
- 自定义策略
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": "fc:GetAccountSettings", "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:account-settings" }, { "Action": [ "vpc:CreateVpc", "vpc:CreateVSwitch", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroups", "ecs:CreateSecurityGroup" ], "Effect": "Allow", "Resource": "*" } ] }
- 系统策略
- 当vpcConfig不为auto
- 系统策略
AliyunECSNetworkInterfaceManagementAccess
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true role: <role-arn> # role已配置,配置内容请参见下文的服务角色权限。 # vpcConfig: auto vpcConfig: vpcId: xxx securityGroupId: xxx vswitchIds: - vsw-xxx # nasConfig: auto nasConfig: userId: 10xxx groupId: 10xxx mountPoints: - serverAddr: xxx-xxx.<region>.nas.aliyuncs.com nasDir: /unit-deploy-service
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunVPCFullAccess
和AliyunNASFullAccess
- 最小权限(自定义策略)
- 当nasConfig不为auto
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
- 当nasConfig为auto
- 系统策略
AliyunNASReadOnlyAccess
- 自定义策略
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetAccountSettings", "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:account-settings" }, { "Action": [ "fc:UpdateService", "fc:CreateService" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*" }, { "Action": [ "fc:InvokeFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*" }, { "Action": [ "fc:UpdateTrigger", "fc:CreateTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "nas:CreateMountTarget", "nas:DescribeMountTargets", "nas:DescribeFileSystems", "nas:CreateFileSystem", "vpc:DescribeVSwitchAttributes" ], "Effect": "Allow", "Resource": "*" } ] }
- 系统策略
- 当nasConfig不为auto
- 最大权限(系统策略)
AliyunECSNetworkInterfaceManagementAccess
service: name: unit-deploy-service description: 'demo for fc-deploy component' internetAccess: true tracingConfig: Enable
- 最大权限(系统策略)
AliyunFCFullAccess
和AliyunTracingAnalysisReadOnlyAccess
- 最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
role:
name: unit-fc
policies:
- AliyunContainerRegistryReadOnlyAccess
- name: unit-test-123
description: test
statement:
Action: ram:PassRole
Effect: Allow
Resource: '*'
- 最大权限(系统策略)
AliyunFCFullAccess
和AliyunRAMFullAccess
- 最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "ram:PassRole", "ram:GetRole", "ram:CreateRole", "ram:ListPoliciesForRole", "ram:AttachPolicyToRole", "ram:GetPolicy", "ram:CreatePolicy", "ram:ListPolicyVersions", "ram:CreatePolicyVersion", "ram:DeletePolicyVersion" ], "Effect": "Allow", "Resource": "*" }, { "Action": "fc:CreateService", "Resource": "acs:fc:<region>:<accountId>:services/*", "Effect": "Allow" }, { "Action": "fc:UpdateService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" }, { "Action": "fc:GetService", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>", "Effect": "Allow" } ] }
函数相关权限配置
function: name: event-function description: this is a test runtime: nodejs12 codeUri: ./ handler: index.handler memorySize: 128 timeout: 60
- 最大权限(系统策略)
AliyunFCFullAccess
- 部署最小权限(自定义策略)
说明
fc:GetFunction
的权限为可选。{ "Version": "1", "Statement": [ { "Action": [ "fc:GetFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*" } ] }
-
删除最小权限(自定义权限)
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteFunction", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>", "Effect": "Allow" } ] }
function: name: event-function description: this is a test runtime: custom-container codeUri: ./ handler: index.handler memorySize: 128 timeout: 60 customContainerConfig: image: xxx command: xxx args: xxx
- 最大权限(系统策略)
AliyunFCFullAccess
- 部署最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*" } ] }
-
删除最小权限(自定义权限)
{ "Version": "1", "Statement": [ { "Action": "fc:DeleteFunction", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>", "Effect": "Allow" } ] }
-
系统策略:
AliyunContainerRegistryReadOnlyAccess
asyncConfiguration: destination: onSuccess: acs:fc:::services/ServerlessTool.LATEST/functions/serverless_demo_nodejs8_http onFailure: acs:fc:::services/Puppeteer/functions/HtmlToPng maxAsyncEventAgeInSeconds: 456 maxAsyncRetryAttempts: 3 statefulInvocation: false
- 最大权限(系统策略)
AliyunFCFullAccess
AliyunMNSReadOnlyAccess
:查看消息服务MNS的权限。AliyunEventBridgeReadOnlyAccess
:查看事件总线EventBridge的权限。AliyunMQReadOnlyAccess
:消息队列RocketMQ版的查看权限。AliyunFCInvocationAccess
:函数调用的权限。
- 最小权限(自定义策略)
说明
fc:GetFunctionAsyncInvokeConfig
的权限为可选。-
系统策略
AliyunMNSReadOnlyAccess
:如果异步调用目标服务为消息服务MNS,则需配置此权限。AliyunEventBridgeReadOnlyAccess
:如果异步调用目标服务为事件总线EventBridge,则需配置此权限。AliyunMQReadOnlyAccess
:如果异步调用目标服务为消息队列RocketMQ版,则需配置此权限。
-
自定义策略
{ "Version": "1", "Statement": [ { "Action": "fc:*Service", "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:GetFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*" }, { "Action": [ "fc:InvokeFunction", "fc:GetFunctionAsyncInvokeConfig", "fc:DeleteFunctionAsyncInvokeConfig", "fc:PutFunctionAsyncInvokeConfig" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>.*/functions/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" } ] }
-
系统策略
触发器相关权限配置
triggers: - name: httpTrigger type: http #qualifier: LATEST config: authType: anonymous methods: - GET
- 最大权限(系统策略)
AliyunFCFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>" } ] }
triggers: - name: oss sourceArn: acs:oss:acs:log:<region>:<accountId>:<buckctName> type: oss role: acs:ram::<accountId>:role⁄aliyunosseventnotificationrole #qualifier: LATEST config: events: - oss:ObjectCreated:* filter: key: prefix: xxx suffix: xxx
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunOSSFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "oss:ListBucket", "oss:GetBucketEventNotification", "oss:PutBucketEventNotification", "oss:DeleteBucketEventNotification" ], "Effect": "Allow", "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action":[ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" } ] }
triggers: - name: cdn sourceArn: acs:cdn:*:<accountId> type: cdn_events role: <roleArn> #qualifier: LATEST config: eventName: CachedObjectsBlocked eventVersion: 1.0.0 notes: xxx filter: domain: example.com
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunCDNFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cdn:UpdateFCTrigger", "cdn:DeleteFCTrigger", "cdn:DescribeFCTrigger", "cdn:AddFCTrigger" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" } ] }
triggers: - name: log sourceArn: acs:log:<region>:<accountId>:project/<projectName> type: log role: acs:ram::<accountId>:role/aliyunlogetlrole #qualifier: LATEST config: sourceConfig: logstore: log jobConfig: maxRetryTime: 3 triggerInterval: 60 functionParameter: #key: value logConfig: project: xxx logstore: xxx enable: false
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunLogFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "log:GetEtlJob", "log:UpdateEtlJob", "log:CreateEtlJob", "log:DeleteEtlJob" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" }, { "Action":[ "log:Get*", "log:List*", "log:PostProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery", "log:GetProjectQuery", "log:PostLogStoreLogs", "log:BatchPostLogStoreLogs", "log:CreateConsumerGroup", "log:UpdateConsumerGroup", "log:DeleteConsumerGroup", "log:ListConsumerGroup", "log:ConsumerGroupUpdateCheckPoint", "log:ConsumerGroupHeartBeat", "log:GetConsumerGroupCheckPoint" ], "Resource": "*", "Effect": "Allow" ] } ] }
triggers: - name: ots sourceArn: acs:ots:<region>:<accountId>:instance/<instance>/table/<table> type: tablestore role: acr:ram::<accountId>:role/AliyunTableStoreStreamNotificationRole #qualifier: LATEST config: instanceName: xxx tableName: xxx
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunOTSFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ots:GetTrigger", "ots:UpdateTrigger", "ots:CreateTrigger", "ots:DeleteTrigger" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "ots:BatchGet*", "ots:Describe*", "ots:Get*", "ots:List*" ], "Resource":"*", "Effect": "Allow" }, { "Action":[ "fc:InvokeFunction" ], "Resource": "*", "Effect": "Allow" ] } ] }
triggers: - name: mns sourceArn: acs:mns:<region>:<accountId>:instance/<instance>/table/<table> type: mns_topic role: acs:ram::<accountId>:role/aliyunmnsnotificationrole #qualifier: LATEST config: filterTag: xxx notifyContentFormat: STREAM notifyStrategy: BACKOFF_RETRY
- 最大权限(系统策略)
AliyunFCFullAccess
、AliyunMNSFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "mns:Subscribe", "mns:Unsubscribe" ], "Resource": "*" } ] }
{ "Version": "1", "Statement": [ { "Action": [ "fc:InvokeFunction" ], "Resource":"*", "Effect": "Allow" } ] }
triggers: - name: timer type: timer #qualifier: LATEST config: payload: '{"s": "ss"}' cronExpression: '@every 100m' enable: false
- 最大权限(系统策略)
AliyunFCFullAccess
- 操作最小权限(自定义策略)
{ "Version": "1", "Statement": [ { "Action": [ "fc:GetTrigger", "fc:CreateTrigger", "fc:UpdateTrigger", "fc:DeleteTrigger" ], "Effect": "Allow", "Resource":"acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>" } ] }
自定义域名相关权限配置
customDomains: - domainName: auto protocol: HTTP routeConfigs: - path: /* serviceName: unit-deploy-service functionName: event-function
- 最大权限(系统策略)
AliyunFCFullAccess
- 最小权限(自定义策略)
说明 自定义域名会涉及到较多服务和函数权限,原因在于domainName为
auto
,需要创建HTTP函数作为一个辅助函数,使用完后该函数将被删除。{ "Version": "1", "Statement": [ { "Action": [ "fc:DeleteService", "fc:UpdateService", "fc:CreateService" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*" }, { "Action": [ "fc:DeleteFunction", "fc:CreateFunction", "fc:UpdateFunction" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*" }, { "Action": [ "fc:DeleteTrigger", "fc:UpdateTrigger", "fc:CreateTrigger" ], "Effect": "Allow", "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*" }, { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "fc:GetCustomDomain", "fc:UpdateCustomDomain", "fc:CreateCustomDomain" ], "Resource": "acs:fc:<region>:<accountId>:custom-domains/*", "Effect": "Allow" } ] }