This topic describes how to grant different levels of Function AI permission policies to a Resource Access Management (RAM) user.
Prerequisites
You have created a RAM user.
Background information
You can grant a RAM user permissions to use Function AI in the following three ways.
System policies: These policies have a wide scope of permissions. You cannot modify the content of system policies, but they are simple to configure.
Custom policies: These policies allow you to create service-level custom policies for RAM users to achieve more fine-grained access control. The configuration steps are more complex than those for system policies.
Resource-level policies: These policies allow you to create resource-level policies with project-level granularity for all RAM users. This provides more fine-grained access control. A RAM user who is granted these permissions can operate only on project resources with specific names.
For more information about permission policies, see Basic elements of a policy and Policy evaluation process.
System policies
Log on to the Resource Access Management (RAM) console as an Alibaba Cloud account or a RAM administrator.
Grant the permissions listed in the following table to the RAM user. For more information, see Manage RAM user permissions.
Permission policy
Description
The read-only permissions for Resource Access Management (RAM). These permissions allow a user to view users, user groups, and authorization information. Function AI requires these permissions to check the roles and corresponding permissions under the current account.
The permissions to manage the Function Compute (FC) service. The image generation feature requires these permissions to manage the created function resources.
The read-only permissions for Object Storage Service (OSS). These permissions are required to view the list of your files in OSS and deploy the relevant files to the Function AI platform.
The read-only permissions for Simple Log Service. These permissions are required to view the log information of services that you deploy on Function AI.
The read-only permissions for CloudMonitor. These permissions are required to view the monitoring metrics of services that you deploy on Function AI.
The permissions to manage the Function AI platform.
The permissions to manage the CloudFlow service. The flow service requires these permissions to manage created workflow resources.
The read-only permissions for Apsara File Storage NAS (NAS). The image generation feature requires these permissions to obtain your NAS folders.
The read-only permissions for Virtual Private Cloud (VPC). The image generation feature requires these permissions to obtain your VPC information.
The read-only permissions for the Elastic Compute Service (ECS) service. The image generation feature requires these permissions to obtain information about your security groups.
The read-only permissions for Expenses and Costs (BSS). Deploying database-related services requires these permissions to obtain your account balance.
The read-only permissions for the ApsaraDB RDS service. Deploying a database service requires these permissions to obtain your database deployment information.
The read-only permissions for ApsaraDB for Tair (Redis-compatible). Deploying Redis requires these permissions to obtain your Redis deployment information.
The permissions to manage Alibaba Cloud Model Studio (SFM) knowledge bases. The flow service requires these permissions to query knowledge base information in Model Studio and perform one-click authorization.
The read-only permissions for cloud-native API Gateway. Deploying an API Gateway service requires these permissions to obtain your API Gateway deployment information.
The read-only permissions for Microservices Engine (MSE). Registering an MCP service with Nacos requires these permissions to query Nacos instance information.
The permissions required to manage and use AgentRun.
Custom policies
Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
Create a custom policy. On the Script Editor tab, replace the policy content with the following sample policy.
{ "Version": "1", "Statement": [ { "Action": [ "ram:Get*", "ram:List*", "ram:GenerateCredentialReport" ], "Resource": "*", "Effect": "Allow" }, { "Action": "devs:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "devs.aliyuncs.com" } } }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "fnf.aliyuncs.com" } } }, { "Action": "fnf:*", "Resource": "*", "Effect": "Allow" }, { "Action": "bss:DescribeAcccount", "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:Get*", "log:List*", "log:Query*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:Get*", "oss:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cms:Get*", "cms:List*", "cms:Query*", "cms:Describe*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fc:Get*", "fc:List*", "fc:PutConcurrencyConfig", "fc:DeleteConcurrencyConfig", "fc:PutProvisionConfig" ], "Resource": "*", "Effect": "Allow" }, { "Action": "vpc:Describe*", "Resource": "*", "Effect": "Allow" }, { "Action": "nas:Describe*", "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:DescribeSecurityGroup*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "kvstore:DescribeInstances" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "bailiancontrol:ListWorkspaces", "bailiancontrol:CreateUser", "bailiancontrol:ListRoles", "bailiancontrol:ListUsers", "bailiancontrol:AttachWorkspaceToUser", "bailiancontrol:AttachRoleToUser", "sfm:ListIndex" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "apig:GetConsumer", "apig:ListConsumers", "apig:ListGateways", "apig:ListZones", "apig:GetDomain", "apig:GetDashboard", "apig:ListDomains" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "mse:ListClusters", "mse:QueryConfig" ], "Resource": "*", "Effect": "Allow" }, { "Action": "agentrun:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "agentrun.fc.aliyuncs.com" } } }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "agentrun.fc.aliyuncs.com" } } } ] }Attach the custom policy that you created in the previous step to the RAM user. For more information, see Manage RAM user permissions.
Resource-level policies
Function AI provides resource-level authorization policies with project-level granularity. You can use the following configurations to grant a RAM user permissions to access project resources with specific names.
Example 1: View all project resources
This policy allows a user to view all project resources, but only create, update, deploy, and delete project resources with specific names.
This example shows how to grant a RAM user permissions to view all Function AI projects, and create, update, deploy, and delete project resources that have the my-project prefix. To allow the RAM user to deploy applications, the policy includes permissions to upload code packages, parse variables, render templates, and refresh repository binding information.
Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
Follow the instructions in Custom policies to create a custom policy. In the policy content, replace the section that grants full read and write permissions for Function AI with the following resource-level policy.
Granting Function AI full read/write permissions
{ "Action": "devs:*", "Resource": "*", "Effect": "Allow" }Replacing with a resource-level access policy
{ "Action": [ "devs:CreateProject", "devs:DeleteProject", "devs:UpdateProject" ], "Resource": "acs:devs:*:*:project/my-project*", "Effect": "Allow" }, { "Action": [ "devs:UpdateEnvironment", "devs:PreviewEnvironment", "devs:DeleteEnvironment", "devs:CreateEnvironment", "devs:DeployEnvironment", "devs:ParseVariable" ], "Resource": "acs:devs:*:*:project/my-project*/environment/*", "Effect": "Allow" }, { "Action": [ "devs:List*", "devs:Get*", "devs:CreateArtifact", "devs:PutArtifact", "devs:FetchArtifactTempBucketToken", "devs:RenderServicesByTemplate", "devs:RefreshConnection" ], "Resource": "*", "Effect": "Allow" }Attach the modified custom policy to the RAM user. For more information, see Manage RAM user permissions.
Example 2: View, create, update, deploy, and delete project resources with specific names
This example shows how to grant a RAM user permissions to view, create, update, deploy, and delete project resources that have the my-project prefix. To allow the RAM user to deploy applications, the policy includes permissions to upload code packages, parse variables, render templates, and refresh repository binding information.
Log on to the RAM console as an Alibaba Cloud account or a RAM administrator.
Follow the instructions in Custom policies to create a custom policy. In the policy content, replace the section that grants full read and write permissions for Function AI with the following resource-level policy.
Replace the full read and write permissions for Function AI
{ "Action": "devs:*", "Resource": "*", "Effect": "Allow" }Switch to a resource-level access policy
{ "Action": [ "devs:CreateProject", "devs:GetProject", "devs:DeleteProject", "devs:UpdateProject" ], "Resource": "acs:devs:*:*:project/my-project*", "Effect": "Allow" }, { "Action": [ "devs:GetEnvironment", "devs:UpdateEnvironment", "devs:PreviewEnvironment", "devs:DeleteEnvironment", "devs:CreateEnvironment", "devs:DeployEnvironment", "devs:GetVariableRefList", "devs:ParseVariable", "devs:GetVariableLinkedServices" ], "Resource": "acs:devs:*:*:project/my-project*/environment/*", "Effect": "Allow" }, { "Action": [ "devs:List*", "devs:GetArtifact", "devs:CreateArtifact", "devs:PutArtifact", "devs:FetchArtifactTempBucketToken", "devs:GetEnvironmentDeployment", "devs:GetServiceDeployment", "devs:GetTask", "devs:RenderServicesByTemplate", "devs:RefreshConnection" ], "Resource": "*", "Effect": "Allow" }Attach the modified custom policy to the RAM user. For more information, see Manage RAM user permissions.
More information
If the RAM user only needs to use the image generation feature, you can grant the RAM user permissions to use image generation projects.