function field

Parameter NameRequiredTypeParameter Description
nameTrueStringfunction name
descriptionFalseStringA short description of the function
codeUriFalseStringCode position
ossBucketFalseStringThe oss bucket where the code is stored
ossKeyFalseStringIf oss code is specified, the corresponding object cannot appear at the same time as codeUri
handlerFalseStringThe entry of function execution, the specific format is related to the language
memorySizeFalseNumberThe memory size of the function
runtimeTrueStringRuntime
timeoutFalseNumberThe timeout time for the function to run
caPortFalseNumberCustomContainer/Runtime specified port
customContainerConfigFalseStructCustom image configuration
environmentVariablesFalseStructEnvironment Variables
initializationTimeoutFalseNumberinitialization method timeout
initializerFalseStringInitializer
instanceConcurrencyFalseNumberSingle instance with multiple concurrency
instanceTypeFalseStringFunction instance type, optional values: e1 (elastic instance), c1 (performance instance), g1 (GPU instance)
gpuMemorySizeFalseNumberGPU instance memory size
layersFalseList<String>Function binding layer,supports Custom and Go1 and Nodejs and Python; the value is the ARN of the layer
instanceLifecycleConfigFalseStructextension function
asyncConfigurationFalseStructAsync Configuration
customDNSFalseStructDNS Configuration
customRuntimeConfigFalseStructCustom runtime startup configuration

Examples:

function:    
  name: event-function    
  description: this is a test    
  runtime: nodejs12    
  codeUri: ./    
  handler: index.handler    
  memorySize: 128    
  timeout: 60

Function permissions required by the account

Maximum permissions

AliyunFCFullAccess

deploy least privilege

⚠️ fc:GetFunctionAsyncInvokeConfig【Optional】, does not affect use

{
    "Statement":[
        {
            "Action":[
                "fc:GetFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/<service-name>/functions/*"
        }
    ],
    "Version":"1"
}

remove least privilege

{
    "Version":"1",
    "Statement":[
        {
            "Action":"fc:DeleteFunction",
            "Resource":"acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>",
            "Effect":"Allow"
        }
    ]
}

runtime

The runtime currently supports: nodejs14nodejs12nodejs10nodejs8nodejs6nodejs4.4
python3.9python3python2.7
java11java8
go1
php7.2
dotnetcore2.1
customcustom-container

When the runtime is the custom-container service role permission:

System Policy: AliyunContainerRegistryReadOnlyAccess

customContainerConfig

Parameter NameRequiredTypeParameter Description
imageFalseStringContainer image repository address
commandFalseStringContainer startup command, example value: '["/code/myserver"]'
argsFalseStringContainer startup parameters, example values: '["-arg1", "value1"]'
accelerationTypeFalseStringMirror acceleration switch, optional values: 'Default', 'None', the former means on, the latter means off
instanceIDFalseStringThe ID of the Container Image Service Enterprise Edition instance. When an enterprise version instance is selected for the container image, you need to add an instance ID to the enterprise version of the container image service. The default resolution of the instance must be the VPC network address where the service is located. PrivateZone product definition domain name resolution is not currently supported

environmentVariables

Object format, for example:

TempKey: tempValue

instanceLifecycleConfig

Parameter NameRequiredTypeParameter Description
[preFreeze](#prefreeze and prestop)False[Struct](#prefreeze and prestop)PreFreeze function
[preStop](#prefreeze and prestop)False[Struct](#prefreeze and prestop)PreStop function

preFreeze and preStop

Parameter NameRequiredTypeParameter Description
handlerTrueStringFunction entry
timeoutFalseNumberTimeout time

asyncConfiguration

Parameter NameRequiredTypeParameter Description
maxAsyncEventAgeInSecondsFalseNumberThe maximum survival time of the message, the value range is [1,2592000]. Unit: Second
maxAsyncRetryAttemptsFalseNumberThe maximum number of retries after an asynchronous call fails, the default value is 3. Value range [0,8]
statefulInvocationFalseBooleanWhether to enable stateful asynchronous invocation
destinationFalseStructThe configuration structure of the asynchronous call destination

customDNS

Parameter NameRequiredTypeParameter Description
nameServersFalseList<String>List of IP addresses of DNS servers
searchesFalseList<String>DNS search domains list
dnsOptionsFalseList<Struct>Corresponds to the Options item of resolv.conf DNS configuration

customRuntimeConfig

Parameter NameRequiredTypeParameter Description
commandTrueList<String>Start command, example value: ["/code/myserver"]
argsFalseStringStartup arguments, example values: ["-arg1", "value1"]

dnsOptions

Parameter NameRequiredTypeParameter Description
nameTrueStringThe key corresponding to the Options item of the resolv.conf DNS configuration
valueTrueStringCorresponds to the value of the Options item of the resolv.conf DNS configuration
Service role permissions
  • fc is configured: AliyunFCInvocationAccess
  • mns is configured
{
    "Action":[
        "mns:SendMessage",
        "mns:PublishMessage"
    ],
    "Resource":"*",
    "Effect":"Allow"
}
Permissions required for sub-accounts
Maximum permissions

System policy: AliyunFCFullAccess, AliyunMNSReadOnlyAccess [permission to view message service (MNS)], AliyunEventBridgeReadOnlyAccess [permission to event bus (EventBridge)], AliyunMQReadOnlyAccess [permission to message queue (MQ)] , AliyunFCInvocationAccess [invocation function permission]

Operating minimum permissions

System Policy

  • If mns related AliyunMNSReadOnlyAccess is configured
  • If EventBridge related AliyunEventBridgeReadOnlyAccess is configured
  • If MQ related AliyunMQReadOnlyAccess is configured

Custom Policy

{
    "Version":"1",
    "Statement":[
        {
            "Action":"fc:*Service",
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "fc:GetFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/unit-deploy-service/functions/*"
        },
        {
            "Action":[
                "fc:InvokeFunction",
                "fc:GetFunctionAsyncInvokeConfig",
                "fc:DeleteFunctionAsyncInvokeConfig",
                "fc:PutFunctionAsyncInvokeConfig"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/unit-deploy-service.*/functions/*"
        },
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        }
    ]
}

destination

Parameter NameRequiredTypeParameter Description
onSuccessFalseStringAsynchronous call to successful target service
onFailureFalseStringThe target service for which the asynchronous call failed
Edit this page on GitHub Updated at Wed, Sep 21, 2022