本文介绍了通过阿里云子账号(RAM User)使用Serverless 工作流需要的权限和配置用户权限策略的详细步骤。

背景信息

如果您是通过主账号用户名密码登录控制台,或是使用有 AdministratorAccess 的 RAM User 访问服务则可跳过本文,直接访问服务即可。如果您使用的 RAM 用户权限有限,请参见下文的步骤配置用户权限策略。

操作步骤

  1. RAM 控制台策略管理,单击新建授权策略,使用下文的 JSON 作为策略内容,创建名为 FnFRAMUserPolicy 的授权策略。
        {
          "Version": "1",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "ram:PassRole",
              "Resource": "*"
            },
            {
              "Action": "fc:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": "fnf:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": "oss:*",
              "Resource": "acs:oss:*:*:fun-gen-*",
              "Effect": "Allow"
            },
            {
              "Action": "ros:*",
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Effect": "Allow",
              "Action": "ram:CreateRole",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:GetPolicy",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:CreatePolicy",
              "Resource": "acs:ram:*:*:policy/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:DeletePolicy",
              "Resource": [
                "acs:ram:*:*:policy/fnf-sample*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:AttachPolicyToRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*",
                "acs:ram:*:*:role/fnf-execution-default-role*",
                "acs:ram:*:*:policy/fnf-sample*",
                "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess",
                "acs:ram:*:system:policy/AliyunFCInvocationAccess",
                "acs:ram:*:system:policy/AliyunFnFFullAccess",
                "acs:ram:*:system:policy/AliyunMNSFullAccess"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:DetachPolicyFromRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*",
                "acs:ram:*:*:role/fnf-execution-default-role*",
                "acs:ram:*:*:policy/fnf-sample*",
                "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess",
                "acs:ram:*:system:policy/AliyunFCInvocationAccess",
                "acs:ram:*:system:policy/AliyunFnFFullAccess",
                "acs:ram:*:system:policy/AliyunMNSFullAccess"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:ListRoles",
              "Resource": "acs:ram:*:*:role/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:GetRole",
              "Resource": "acs:ram:*:*:role/*"
            },
            {
              "Effect": "Allow",
              "Action": "ram:DeleteRole",
              "Resource": [
                "acs:ram:*:*:role/fnf-sample*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "ram:ListPoliciesForRole",
              "Resource": "acs:ram:*:*:role/*"
            }
          ]
        }
  2. RAM 控制台用户管理,选择使用 Serverless 工作流的 RAM User,将上一步中创建的授权策略与该 RAM User 绑定。
    说明
    • 上文提到的子账号权限适用于基础的操作,如果使用控制台上一些涉及到更多云资源的应用模板和示例项目遇到权限不足的情况,请为 RAM User 添加相应的权限。
    • 为了控制权限粒度,示例中比较敏感的 RAM 操作,例如 AttachPolicyToRole 仅有权限操作 fnf-sample 或 fnf-execution-default-role 为前缀的角色 (role) 和策略(policy)。如果您需要修改示例项目名或者应用中心默认名,请根据实际情况对上文的策略内容做修改。