service field

Parameter NameRequiredTypeParameter Description
nameTrueStringservice name
descriptionFalseStringA short description of the Service
internetAccessFalseBooleanSet to true to allow the function to access the public network
tracingConfigFalseStringLink tracing, available values: Enable, Disable
roleFalseString[Simple configuration]/Struct[Detailed configuration]The RAM role that grants the permissions required by Function Compute, the usage scenarios include 1. Send the log generated by the function To the user's logstore 2. Generate a token for the function to access other cloud resources during execution
logConfigFalseEnum[simple configuration]/Struct[detailed configuration]log configuration, the log generated by the function will be written to the logstore configured here
vpcConfigFalseEnum[simple configuration]/Struct[detailed configuration]VPC configuration, after configuration, the function can access the specified VPC
nasConfigFalseEnum[simple configuration]/Struct[detailed configuration]NAS configuration, after configuration, the function can access the specified NAS
vpcBindingFalseList<String>Allow only the specified VPCs to access the function
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true

Permissions required for sub-accounts

Maximum permissions

System Policy: AliyunFCFullAccess

Deployment Least Privileges

Custom Policy

⚠️ The permission of fc:GetService is optional by default.

{
    "Version": "1",
        "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<account-id>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}
Remove the least privilege

Custom Policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}

role

When the role parameter is a string, it can be: acs:ram::xxx:role/AliyunFcDefaultRole

When the role parameter is a structure, you can refer to:

Parameter NameRequiredTypeParameter Description
nameTrueStringCharacter name
policiesTrueList<Struct>list of policies

Examples:

role:
  name: roleName
  policies:
    - AliyunOSSFullAccess
    - name: myPolicy
      description: custom policy
      statement: 
      - Effect: Allow
        Action: 
          - log:ListProject
        Resource:
          - acs:log:*:*:project/*
Sub-account requires permission
Maximum permissions

System Policy: AliyunFCFullAccess, AliyunRAMFullAccess

More granular strategies
{
    "Statement": [
        {
          "Action": [
            "ram:PassRole",
            "ram:GetRole",
            "ram:CreateRole",
            "ram:ListPoliciesForRole",
            "ram:AttachPolicyToRole",
            "ram:GetPolicy",
            "ram:CreatePolicy",
            "ram:ListPolicyVersions",
            "ram:CreatePolicyVersion",
            "ram:DeletePolicyVersion"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
    ],
    "Version": "1"
}

policies

Where policies represents a list of policies. When this field is used, the locally configured ak needs to have permission to create policies and roles. The elements in the list support strings and policy structures, which can be referred to:

Parameter NameRequiredTypeParameter Description
nameTrueStringPolicy name
descriptionFalseStringPolicy description
statementTrueList<Struct>Policy content list

statement

Among them, statement represents the list of policy content, and the structure of the elements in the list can be referred to:

Parameter NameRequiredTypeParameter Description
EffectTrueStringStrategy effect, optional values ​​are 'Allow' and 'Deny'
ActionTrueList<String>Policy Action
ResourceTrueString/List<String>Policy's target resource
ConditionFalseObjectCondition of the policy

logConfig

When the logConfig parameter is a simple configuration, it can be: auto

When the logConfig parameter is a structure, you can refer to:

Parameter NameRequiredTypeParameter Description
logstoreFalseStringlogstore name in loghub
projectFalseStringproject name in loghub
enableRequestMetricsFalseBooleanRequestMetrics switch, value true/false
enableInstanceMetricsFalseBooleanInstanceMetrics switch, value true/false
logBeginRuleFalseStringWhether the log is split, the value is DefaultRegex/None
Examples:
service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
        role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限
    # logConfig: auto
    logConfig:
        project: XXX
        logstore: XXX

when logConfig is auto project name generation rule {accountID}-{region}-logproject logstore name generation rule 'fc-service-{serviceName}-logstore'.toLocaleLowerCase()

Permissions required for sub-accounts
Maximum permissions

System policy: AliyunFCFullAccess, AliyunLogFullAccess

Deploy with minimal permissions
  • when logConfig is not auto

Custom Policy

{
    "Statement": [
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}
  • when logConfg is auto

Custom Policy

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        },
        {
            "Action":[
                "log:GetProject",
                "log:CreateProject"
            ],
            "Resource":"acs:log:<region>:<account-id>:project/<project-name>",
            "Effect":"Allow"
        },
        {
            "Action":[
                "log:CreateLogStore",
                "log:GetIndex",
                "log:GetLogStore",
                "log:CreateIndex"
            ],
            "Resource":"acs:log:<region>:<account-id>:project/<project-name>/logstore/<logstore-name>",
            "Effect":"Allow"
        }
    ]
}
Service role permissions
Maximum permissions

System Policy: AliyunLogFullAccess

least privilege

Custom Policy

{
    "Version":"1",
    "Statement":[
        {
            "Action":"log:PostLogStoreLogs",
            "Resource":"acs:log:<region>:<account-id>:project/<projectName>/logstore/<logstoreName>",
            "Effect":"Allow"
        }
    ]
}

vpcConfig

When the vpcConfig parameter is a simple configuration, it can be: auto

When the vpcConfig parameter is a structure, you can refer to:

Parameter NameRequiredTypeParameter Description
securityGroupIdFalseStringSecurity Group ID
vSwitchIdsFalseList<String>List of switch IDs
vpcIdFalseStringVPC ID

Examples:

service:    
  name: unit-deploy-service    
  description: 'demo for fc-deploy component'    
  internetAccess: true        
  role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限    
  # vpcConfig: auto    
  vpcConfig:      
    vpcId: xxx      
    securityGroupId: xxx      
    vswitchIds:        
      - vsw-xxx
Permissions required for sub-accounts
Maximum permissions

System Policy: AliyunFCFullAccess, AliyunVPCFullAccess, AliyunECSFullAccess

Deployment minimum permissions <[Service permissions reference](#Permissions required by sub-accounts)>
  • when vpcConfig is not auto

Custom Policy

{
     "Statement":[
         {
             "Action":"ram:PassRole",
             "Effect":"Allow",
             "Resource": "*"
         }
     ],
     "Version": "1"
}
  • when vpcConfig is auto

System Policy: AliyunVPCReadOnlyAccess

Custom Policy

{
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        },
        {
            "Action":"fc:GetAccountSettings",
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:account-settings"
        },
        {
            "Action":[
                "vpc:CreateVpc",
                "vpc:CreateVSwitch",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:CreateSecurityGroup"
            ],
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
Service role permissions

System Policy: AliyunECSNetworkInterfaceManagementAccess

nasConfig

When the nasConfig parameter is a simple configuration, it can be: auto

When the nasConfig parameter is a structure, you can refer to:

| Parameter Name | Required | Type | Parameter Description | | --------------------------- | ----- | --------------- ------------------------- | -------------------- | | mountPoints | False | List<Struct>[Multiple Directory Configuration] | Directory Configuration | | userId | False | String | userID, default is 10003 | | groupId | False | String | groupID, default is 10003 |

Examples:

service:    
  name: unit-deploy-service    
  description: 'demo for fc-deploy component'    
  internetAccess: true        
  role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限    
  vpcConfig:      
    vpcId: xxx     
    securityGroupId: xxx      
    vswitchIds:        
      - vsw-xxx    
  nasConfig:      
    userId: 10003      
    groupId: 10003      
    mountPoints:        
      - serverAddr: xxx-xxx.cn-shenzhen.nas.aliyuncs.com          
        nasDir: /unit-deploy-service          
        fcDir: /mnt/auto
Permissions required for sub-accounts
Maximum permissions

System Policy: AliyunFCFullAccess, AliyunVPCFullAccess, AliyunNasFullAccess

Deploy with minimal permissions
  • when nasConfig is not auto

Custom Policy

{
     "Statement":[
         {
             "Action":"ram:PassRole",
             "Effect":"Allow",
             "Resource": "*"
         }
     ],
     "Version": "1"
}
  • when nasConfig is auto

System Policy: AliyunNasReadOnlyAccess

Custom Policy

{
    "Statement":[
        {
            "Action":"fc:GetAccountSettings",
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:account-settings"
        },
        {
            "Action":[
                "fc:UpdateService",
                "fc:CreateService"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/*"
        },
        {
            "Action":[
                "fc:InvokeFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/*/functions/*"
        },
        {
            "Action":[
                "fc:UpdateTrigger",
                "fc:CreateTrigger"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/*/functions/*/triggers/*"
        },
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        },
        {
            "Action":[
                "nas:CreateMountTarget",
                "nas:DescribeMountTargets",
                "nas:DescribeFileSystems",
                "nas:CreateFileSystem",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
Service role permissions

System Policy: AliyunECSNetworkInterfaceManagementAccess

mountPoints

Parameter NameRequiredTypeParameter Description
serverAddrFalseStringNAS server address
nasDirFalseStringNAS directory
fcDirFalseStringFunction calculation directory

tracingConfig

Link tracking, possible values: Enable, Disable

Examples

service:
   name: unit-deploy-service
   description: 'demo for fc-deploy component'
   internetAccess: true
   tracingConfig: Enable
Permissions required for sub-accounts

System policy: AliyunFCFullAccess, AliyunTracingAnalysisReadOnlyAccess

{
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
Edit this page on GitHub Updated at Wed, Sep 21, 2022