本文介绍如何通过阿里云子账号(RAM User)使用Serverless工作流需要的权限和配置用户权限策略的详细步骤。

背景信息

如果您是通过主账号用户名密码登录控制台,或是使用有AdministratorAccess的RAM User访问服务则可跳过本文,直接访问服务即可。如果您使用的RAM用户权限有限,请参见下文的步骤配置用户权限策略。

操作步骤

  1. RAM控制台策略管理,单击新建授权策略,使用下文的JSON作为策略内容,创建名为FnFRAMUserPolicy的授权策略。
        {
          "Version": "1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "ram:PassRole",
              "Resource": "*"
            },
            {
              "Action": "fc:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": "fnf:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": "oss:*",
              "Resource": "acs:oss:*:*:fun-gen-*",
              "Effect": "Allow"
            },
            {
              "Action": "ros:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Effect": "Allow",
              "Action": "ram:CreateRole",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:GetPolicy",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:CreatePolicy",
              "Resource": "acs:ram:*:*:policy/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:DeletePolicy",
              "Resource": [
                "acs:ram:*:*:policy/fnf-sample*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:AttachPolicyToRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*",
                "acs:ram:*:*:role/fnf-execution-default-role*",
                "acs:ram:*:*:policy/fnf-sample*",
                "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess",
                "acs:ram:*:system:policy/AliyunFCInvocationAccess",
                "acs:ram:*:system:policy/AliyunFnFFullAccess",
                "acs:ram:*:system:policy/AliyunMNSFullAccess"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:DetachPolicyFromRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*",
                "acs:ram:*:*:role/fnf-execution-default-role*",
                "acs:ram:*:*:policy/fnf-sample*",
                "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess",
                "acs:ram:*:system:policy/AliyunFCInvocationAccess",
                "acs:ram:*:system:policy/AliyunFnFFullAccess",
                "acs:ram:*:system:policy/AliyunMNSFullAccess"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:ListRoles",
              "Resource": "acs:ram:*:*:role/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:GetRole",
              "Resource": "acs:ram:*:*:role/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:DeleteRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:ListPoliciesForRole",
              "Resource": "acs:ram:*:*:role/*"
            }
          ]
        }
  2. RAM控制台用户管理,选择使用Serverless工作流的RAM User,将上一步中创建的授权策略与该RAM User绑定。
    说明
    • 子账号权限适用于基础的操作,如果使用控制台上一些涉及到更多云资源的应用模板和示例项目遇到权限不足的情况,请为RAM User添加相应的权限。
    • 为了控制权限粒度,示例中比较敏感的RAM操作,例如AttachPolicyToRole仅有权限操作fnf-sample或fnf-execution-default-role为前缀的角色(Role)和策略(Policy)。如果您需要修改示例项目名或者应用中心默认名,请根据实际情况对上文的策略内容做修改。