service字段

参数名必填类型参数描述
nameTrueStringservice名称
descriptionFalseStringService的简短描述
internetAccessFalseBoolean设为true让function可以访问公网
tracingConfigFalseString链路追踪,可取值:Enable、Disable
roleFalseString[简单配置]/Struct[详细配置]授予函数计算所需权限的RAM role, 使用场景包含 1. 把 function产生的 log 发送到用户的 logstore 中 2. 为function 在执行中访问其它云资源生成 token
logConfigFalseEnum[简单配置]/Struct[详细配置]log配置,function产生的log会写入这里配置的logstore
vpcConfigFalseEnum[简单配置]/Struct[详细配置]VPC配置, 配置后function可以访问指定VPC
nasConfigFalseEnum[简单配置]/Struct[详细配置]NAS配置, 配置后function可以访问指定NAS

参考案例:

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true

权限配置相关

子账号需要的权限

最大权限

系统策略:AliyunFCFullAccess

部署最小权限

自定义策略

⚠️ fc:GetService 的权限默认可以选填。

{
    "Version": "1",
        "Statement": [
        {
            "Action": "fc:CreateService",
            "Resource": "acs:fc:<region>:<account-id>:services/*",
            "Effect": "Allow"
        },
        {
            "Action": "fc:UpdateService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        },
        {
            "Action": "fc:GetService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}
删除最小权限

自定义策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": "fc:DeleteService",
            "Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
            "Effect": "Allow"
        }
    ]
}

role

role参数为字符串时,可以是:acs:ram::xxx:role/AliyunFcDefaultRole

role参数为结构时,可以参考:

参数名必填类型参数描述
nameTrueString角色名
policiesTrueList<Struct>策略列表

参考案例:

role:
  name: roleName
  policies:
    - AliyunOSSFullAccess
    - name: myPolicy
      description: custom policy
      statement: 
      - Effect: Allow
        Action: 
          - log:ListProject
        Resource:
          - acs:log:*:*:project/*

权限配置相关

子账号需要权限
最大权限

系统策略AliyunFCFullAccessAliyunRAMFullAccess

更细度的策略
{
    "Statement": [
        {
          "Action": [
            "ram:PassRole",
            "ram:GetRole",
            "ram:CreateRole",
            "ram:ListPoliciesForRole",
            "ram:AttachPolicyToRole",
            "ram:GetPolicy",
            "ram:CreatePolicy",
            "ram:ListPolicyVersions",
            "ram:CreatePolicyVersion",
            "ram:DeletePolicyVersion"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
    ],
    "Version": "1"
}

policies

其中 policies 表示策略列表,当使用了这个字段,需要本地配置的 ak 具有创建 policy 和 role 的权限,列表中的元素支持字符串和 policy 结构体,该结构体可以参考:

参数名必填类型参数描述
nameTrueString策略名称
descriptionFalseString策略描述
statementTrueList<Struct>策略内容列表

statement

其中 statement 表示策略内容列表,列表中元素的结构体可以参考:

参数名必填类型参数描述
EffectTrueString策略效果,可选值有 'Allow' 和 'Deny'
ActionTrueList<String>策略动作
ResourceTrueString/List<String>策略的目标资源
ConditionFalseObject策略的条件限制

logConfig

logConfig参数为简单配置是,可以是:auto

logConfig参数为结构时,可以参考:

参数名必填类型参数描述
logstoreTrueStringloghub中的logstore名称
projectTrueStringloghub中的project名称
enableRequestMetricsFalseBooleanRequestMetrics开关,取值true/false
enableInstanceMetricsFalseBooleanInstanceMetrics开关,取值true/false
logBeginRuleFalseString日志是否切分,取值 DefaultRegex/None

参考案例:

service:
    name: unit-deploy-service
    description: 'demo for fc-deploy component'
    internetAccess: true
        role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限
    # logConfig: auto
    logConfig:
        project: XXX
        logstore: XXX

logConfig 为 auto时 project 名字生成规则 {accountID}-{region}-logproject logstore 名字生成规则 'fc-service-{serviceName}-logstore'.toLocaleLowerCase()

权限配置相关

子账号需要的权限
最大权限

系统策略:AliyunFCFullAccessAliyunLogFullAccess

部署最小权限
  • logConfig 不为 auto

自定义策略

{
    "Statement": [
        {
            "Action": "ram:PassRole",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}
  • logConfgauto

自定义策略

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        },
        {
            "Action":[
                "log:GetProject",
                "log:CreateProject"
            ],
            "Resource":"acs:log:<region>:<account-id>:project/<project-name>",
            "Effect":"Allow"
        },
        {
            "Action":[
                "log:CreateLogStore",
                "log:GetIndex",
                "log:GetLogStore",
                "log:CreateIndex"
            ],
            "Resource":"acs:log:<region>:<account-id>:project/<project-name>/logstore/<logstore-name>",
            "Effect":"Allow"
        }
    ]
}
服务角色权限
最大权限

系统策略AliyunLogFullAccess

最小权限

自定义策略

{
    "Version":"1",
    "Statement":[
        {
            "Action":"log:PostLogStoreLogs",
            "Resource":"acs:log:<region>:<account-id>:project/<projectName>/logstore/<logstoreName>",
            "Effect":"Allow"
        }
    ]
}

vpcConfig

vpcConfig参数为简单配置是,可以是:auto

vpcConfig参数为结构时,可以参考:

参数名必填类型参数描述
securityGroupIdTrueString安全组ID
vswitchIdsTrueList<String>交换机 ID 列表
vpcIdTrueStringVPC ID

参考案例:

service:    
  name: unit-deploy-service    
  description: 'demo for fc-deploy component'    
  internetAccess: true        
  role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限    
  # vpcConfig: auto    
  vpcConfig:      
    vpcId: xxx      
    securityGroupId: xxx      
    vswitchIds:        
      - vsw-xxx

权限配置相关

子账号需要的权限
最大权限

系统策略AliyunFCFullAccessAliyunVPCFullAccessAliyunECSFullAccess

部署最小权限 <服务权限参考>
  • vpcConfig 不为 auto

自定义策略

{
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
  • vpcConfigauto

系统策略AliyunVPCReadOnlyAccess

自定义策略

{
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        },
        {
            "Action":"fc:GetAccountSettings",
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:account-settings"
        },
        {
            "Action":[
                "vpc:CreateVpc",
                "vpc:CreateVSwitch",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:CreateSecurityGroup"
            ],
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
服务角色权限

系统策略AliyunECSNetworkInterfaceManagementAccess

nasConfig

nasConfig参数为简单配置是,可以是:auto

nasConfig参数为结构时,可以参考:

参数名必填类型参数描述
mountPointsTrueList<Struct>[多目录配置]目录配置
userIdFalseStringuserID, 默认为10003
groupIdFalseStringgroupID, 默认为10003

参考案例:

service:    
  name: unit-deploy-service    
  description: 'demo for fc-deploy component'    
  internetAccess: true        
  role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限    
  vpcConfig:      
    vpcId: xxx     
    securityGroupId: xxx      
    vswitchIds:        
      - vsw-xxx    
  nasConfig:      
    userId: 10003      
    groupId: 10003      
    mountPoints:        
      - serverAddr: xxx-xxx.cn-shenzhen.nas.aliyuncs.com          
        nasDir: /unit-deploy-service          
        fcDir: /mnt/auto

权限配置相关

子账号需要的权限
最大权限

系统策略AliyunFCFullAccessAliyunVPCFullAccessAliyunNasFullAccess

部署最小权限
  • nasConfig 不为 auto

自定义策略

{
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
  • nasConfigauto

系统策略AliyunNasReadOnlyAccess

自定义策略

{
    "Statement":[
        {
            "Action":"fc:GetAccountSettings",
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:account-settings"
        },
        {
            "Action":[
                "fc:UpdateService",
                "fc:CreateService"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/*"
        },
        {
            "Action":[
                "fc:InvokeFunction",
                "fc:CreateFunction",
                "fc:UpdateFunction"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/*/functions/*"
        },
        {
            "Action":[
                "fc:UpdateTrigger",
                "fc:CreateTrigger"
            ],
            "Effect":"Allow",
            "Resource":"acs:fc:<region>:<account-id>:services/*/functions/*/triggers/*"
        },
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        },
        {
            "Action":[
                "nas:CreateMountTarget",
                "nas:DescribeMountTargets",
                "nas:DescribeFileSystems",
                "nas:CreateFileSystem",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
服务角色权限

系统策略AliyunECSNetworkInterfaceManagementAccess

mountPoints

参数名必填类型参数描述
serverAddrTrueStringNAS 服务器地址
nasDirTrueStringNAS目录
fcDirTrueString函数计算目录

tracingConfig

链路追踪,可取值:Enable、Disable

参考案例

service:    
  name: unit-deploy-service    
  description: 'demo for fc-deploy component'    
  internetAccess: true    
  tracingConfig: Enable     

权限配置相关

子账号需要的权限

系统策略AliyunFCFullAccessAliyunTracingAnalysisReadOnlyAccess

{
    "Statement":[
        {
            "Action":"ram:PassRole",
            "Effect":"Allow",
            "Resource":"*"
        }
    ],
    "Version":"1"
}
在 GitHub 上编辑本页面 更新时间: Wed, Aug 10, 2022