本文介绍使用FC组件的YAML模式所需的权限信息。

服务相关权限配置

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccess

  • 部署最小权限(自定义策略)
    说明 fc:GetService的权限为可选。
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    
  • 删除最小权限(自定义权限)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # role已配置,配置内容请参见下文的服务角色权限。
    # logConfig: auto
    logConfig:
        project: XXX
        logstore: XXX
说明 logConfigauto时,project名字生成规则{accountID}-{region}-logprojectlogstore名字生成规则'fc-service-{serviceName}-logstore'.toLocaleLowerCase()
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccessAliyunLogFullAccess

  • 最小权限(自定义策略)
    • logConfig不为auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • logConfigauto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Action": [
                      "log:GetProject",
                      "log:CreateProject"
                  ],
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "log:CreateLogStore",
                      "log:GetIndex",
                      "log:GetLogStore",
                      "log:CreateIndex"
                  ],
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
                  "Effect": "Allow"
              }
          ]
      }
      
  • 服务角色权限
    • 最大权限(系统策略)

      AliyunLogFullAccess

    • 最小权限(自定义策略)
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:PostLogStoreLogs",
                  "Resource": "acs:log:<region>:<accountId>:project/<projectName>/logstore/<logstoreName>",
                  "Effect": "Allow"
              }
          ]
      }
      
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # role已配置,配置内容请参见下文的服务角色权限。
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccessAliyunVPCFullAccessAliyunECSFullAccess

  • 最小权限(自定义策略)
    • vpcConfig不为auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              }
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • vpcConfigauto
      • 系统策略

        AliyunVPCReadOnlyAccess

      • 自定义策略
        {
            "Version": "1"
            "Statement": [
               {
                   "Action": "fc:CreateService",
                   "Resource": "acs:fc:<region>:<accountId>:services/*",
                   "Effect": "Allow"
               },
               {
                   "Action": "fc:UpdateService",
                   "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                   "Effect": "Allow"
               },
               {
                   "Action": "fc:GetService",
                   "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                   "Effect": "Allow"
               },
                   {
                   "Action": "ram:PassRole",
                   "Effect": "Allow",
                   "Resource": "*"
               },
               {
                   "Action": "fc:GetAccountSettings",
                   "Effect": "Allow",
                   "Resource": "acs:fc:<region>:<accountId>:account-settings"
               },
               {
                   "Action": [
                       "vpc:CreateVpc",
                       "vpc:CreateVSwitch",
                       "ecs:AuthorizeSecurityGroup",
                       "ecs:DescribeSecurityGroups",
                       "ecs:CreateSecurityGroup"
                   ],
                   "Effect": "Allow",
                   "Resource": "*"
               }
            ]
        }                     
        
服务角色权限
  • 系统策略

    AliyunECSNetworkInterfaceManagementAccess

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    role: <role-arn> # role已配置,配置内容请参见下文的服务角色权限。
    # vpcConfig: auto
    vpcConfig:
      vpcId: xxx
      securityGroupId: xxx
      vswitchIds:
        - vsw-xxx
    # nasConfig: auto
    nasConfig:
      userId: 10xxx
      groupId: 10xxx
      mountPoints:
        - serverAddr: xxx-xxx.<region>.nas.aliyuncs.com
          nasDir: /unit-deploy-service
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccessAliyunVPCFullAccessAliyunNASFullAccess

  • 最小权限(自定义策略)
    • nasConfig不为auto
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "fc:CreateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:UpdateService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "fc:GetService",
                  "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:PassRole",
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
      
    • nasConfigauto
      • 系统策略

        AliyunNASReadOnlyAccess

      • 自定义策略
        {
            "Version": "1"
            "Statement": [
                {
                    "Action": "fc:CreateService",
                    "Resource": "acs:fc:<region>:<accountId>:services/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:UpdateService",
                    "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:GetService",
                    "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                    "Effect": "Allow"
                },
                {
                    "Action": "fc:GetAccountSettings",
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:account-settings"
                },
                {
                    "Action": [
                        "fc:UpdateService",
                        "fc:CreateService"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*"
                },
                {
                    "Action": [
                        "fc:InvokeFunction",
                        "fc:CreateFunction",
                        "fc:UpdateFunction"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
                },
                {
                    "Action": [
                      "fc:UpdateTrigger",
                      "fc:CreateTrigger"
                    ],
                    "Effect": "Allow",
                    "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
                },
                {
                    "Action": "ram:PassRole",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": [
                        "nas:CreateMountTarget",
                        "nas:DescribeMountTargets",
                        "nas:DescribeFileSystems",
                        "nas:CreateFileSystem",
                        "vpc:DescribeVSwitchAttributes"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ]
        }
        
服务角色权限
  • 最大权限(系统策略)

    AliyunECSNetworkInterfaceManagementAccess

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
    tracingConfig: Enable     
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccessAliyunTracingAnalysisReadOnlyAccess

  • 最小权限(自定义策略)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
role:
  name: unit-fc
  policies:
    - AliyunContainerRegistryReadOnlyAccess
    - name: unit-test-123
      description: test
      statement:
        Action: ram:PassRole
        Effect: Allow
        Resource: '*'
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccessAliyunRAMFullAccess

  • 最小权限(自定义策略)
    {
        "Version": "1",
        "Statement": [
            {
              "Action": [
                "ram:PassRole",
                "ram:GetRole",
                "ram:CreateRole",
                "ram:ListPoliciesForRole",
                "ram:AttachPolicyToRole",
                "ram:GetPolicy",
                "ram:CreatePolicy",
                "ram:ListPolicyVersions",
                "ram:CreatePolicyVersion",
                "ram:DeletePolicyVersion"
              ],
              "Effect": "Allow",
              "Resource": "*"
            },
            {
                "Action": "fc:CreateService",
                "Resource": "acs:fc:<region>:<accountId>:services/*",
                "Effect": "Allow"
            },
            {
                "Action": "fc:UpdateService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            },
            {
                "Action": "fc:GetService",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>",
                "Effect": "Allow"
            }
        ]
    }
    

函数相关权限配置

function:
    name: event-function
    description: this is a test
    runtime: nodejs12
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccess

  • 部署最小权限(自定义策略)
    说明 fc:GetFunction的权限为可选。
    {
        "Version": "1"
        "Statement": [
            {
                "Action": [
                    "fc:GetFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
            }
        ]
    }
    
  • 删除最小权限(自定义权限)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteFunction",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
                "Effect": "Allow"
            }
        ]
    }
    
function:
    name: event-function
    description: this is a test
    runtime: custom-container
    codeUri: ./
    handler: index.handler
    memorySize: 128
    timeout: 60
    customContainerConfig:
          image: xxx
          command: xxx
          args: xxx
子账号需要的权限
  • 最大权限(系统策略)

    AliyunFCFullAccess

  • 部署最小权限(自定义策略)
    {
        "Version": "1"
        "Statement": [
            {
                "Action": [
                    "fc:GetFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
            }
        ]
    }
    
  • 删除最小权限(自定义权限)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteFunction",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>",
                "Effect": "Allow"
            }
        ]
    }
    
服务角色权限
  • 系统策略:

    AliyunContainerRegistryReadOnlyAccess

asyncConfiguration:
		 destination:
			 onSuccess: acs:fc:::services/ServerlessTool.LATEST/functions/serverless_demo_nodejs8_http
			 onFailure: acs:fc:::services/Puppeteer/functions/HtmlToPng
		 maxAsyncEventAgeInSeconds: 456
		 maxAsyncRetryAttempts: 3
		 statefulInvocation: false 
子账号需要的权限
  • 最大权限(系统策略)
    • AliyunFCFullAccess
    • AliyunMNSReadOnlyAccess:查看消息服务MNS的权限。
    • AliyunEventBridgeReadOnlyAccess:查看事件总线EventBridge的权限。
    • AliyunMQReadOnlyAccess:消息队列RocketMQ版的查看权限。
    • AliyunFCInvocationAccess:函数调用的权限。
  • 最小权限(自定义策略)
    说明 fc:GetFunctionAsyncInvokeConfig的权限为可选。
    • 系统策略
      • AliyunMNSReadOnlyAccess:如果异步调用目标服务为消息服务MNS,则需配置此权限。
      • AliyunEventBridgeReadOnlyAccess:如果异步调用目标服务为事件总线EventBridge,则需配置此权限。
      • AliyunMQReadOnlyAccess:如果异步调用目标服务为消息队列RocketMQ版,则需配置此权限。
    • 自定义策略
      {
                      "Version": "1",
                      "Statement": [
                          {
                              "Action": "fc:*Service",
                              "Resource": "*",
                              "Effect": "Allow"
                          },
                          {
                              "Action": [
                                  "fc:GetFunction",
                                  "fc:CreateFunction",
                                  "fc:UpdateFunction"
                              ],
                              "Effect": "Allow",
                              "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/*"
                          },
                          {
                              "Action": [
                                  "fc:InvokeFunction",
                                  "fc:GetFunctionAsyncInvokeConfig",
                                  "fc:DeleteFunctionAsyncInvokeConfig",
                                  "fc:PutFunctionAsyncInvokeConfig"
                              ],
                              "Effect": "Allow",
                              "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>.*/functions/*"
                          },
                          {
                              "Action": "ram:PassRole",
                              "Effect": "Allow",
                              "Resource": "*"
                          }
                      ]
                  }
                  

触发器相关权限配置

triggers:
    - name: httpTrigger
      type: http
      config:
        authType: anonymous
        methods:
          - GET
          - POST
子账号需要的函数权限
  • 最大权限(系统策略)

    AliyunFCFullAccess

  • 部署最小权限(自定义策略)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:GetTrigger",
                    "fc:CreateTrigger",
                    "fc:UpdateTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>"
            }
        ]
    }
    
  • 删除最小权限(自定义权限)
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "fc:DeleteTrigger",
                "Resource": "acs:fc:<region>:<accountId>:services/<serviceName>/functions/<functionName>/triggers/*",
                "Effect": "Allow"
            }
        ]
    }
    

自定义域名相关权限配置

customDomains:
    - domainName: auto
      protocol: HTTP
      routeConfigs:
        - path: /*
          serviceName: unit-deploy-service
          functionName: event-function
子账号需要的函数权限
  • 最大权限(系统策略)

    AliyunFCFullAccess

  • 最小权限(自定义策略)
    说明 自定义域名会涉及到较多服务和函数权限,原因在于domainNameauto,需要创建HTTP函数作为一个辅助函数,使用完后该函数将被删除。
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "fc:DeleteService",
                    "fc:UpdateService",
                    "fc:CreateService"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*"
            },
            {
                "Action": [
                    "fc:DeleteFunction",
                    "fc:CreateFunction",
                    "fc:UpdateFunction"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*"
            },
            {
                "Action": [
                  "fc:DeleteTrigger",
                  "fc:UpdateTrigger",
                  "fc:CreateTrigger"
                ],
                "Effect": "Allow",
                "Resource": "acs:fc:<region>:<accountId>:services/*/functions/*/triggers/*"
            },
            {
                "Action": "ram:PassRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "fc:GetCustomDomain",
                    "fc:UpdateCustomDomain",
                    "fc:CreateCustomDomain"
                ],
                "Resource": "acs:fc:<region>:<accountId>:custom-domains/*",
                "Effect": "Allow"
            }
        ]
    }