This topic describes the RAM roles required to create services and deploy applications from templates on the Function AI native application development platform. When you first log on to the Function AI console, you are prompted to authorize the creation of the following RAM roles.
AliyunDevsCustomRole
AliyunDevsCustomRole is the default role used to deploy services. The Function AI native application development platform assumes this role to deploy the cloud resources within a project. To ensure a successful deployment, you must grant the platform the required permissions for other Alibaba Cloud products.
The Cloud-native Application Development Platform is the trusted entity for the AliyunDevsCustomRole role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"devs.aliyuncs.com"
]
}
}
],
"Version": "1"
}When you first log on to the Function AI native application development platform, you are guided through the authorization process. The system policy that is granted depends on the type of service you deploy. The policies include AliyunDevsFCServicesDeployPolicy, AliyunDevsRDSServicesDeployPolicy, AliyunDevsFnFServicesDeployPolicy, and AliyunDevsRedisServicesDeployPolicy. The following table describes the service types that each access policy supports.
Access policy | Service type |
Function services, web services, model services, MCP services, asynchronous task services, and text-to-image applications | |
Database - RDS services (PostgreSQL and MySQL) | |
Flow services | |
Database - Redis services |
AliyunDevsFCServicesDeployPolicy
AliyunDevsFCServicesDeployPolicy includes the permissions required to deploy services based on Function Compute, such as function services, web services, model services, MCP services, asynchronous task services, and text-to-image applications. The policy content is as follows:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "devs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"vpc:CreateVpc",
"vpc:CreateVSwitch",
"vpc:ModifyVpcAttribute",
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:AbortMultipartUpload",
"oss:GetBucketAcl",
"oss:GetBucketInfo",
"oss:GetBucketStat",
"oss:PutBucket",
"oss:ListObjectVersions",
"oss:ListParts",
"oss:ListMultipartUploads",
"oss:GetBucketEventNotification",
"oss:PutBucketEventNotification",
"oss:DeleteBucketEventNotification",
"oss:GetObject",
"oss:PutObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "oss:ListObjects",
"Resource": "*",
"Condition": {
"StringLike": {
"oss:Prefix": [
"cache-home/*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:DescribeFileSystems",
"nas:ModifyFileSystem",
"nas:DeleteMountTarget",
"nas:ModifyMountTarget",
"nas:DescribeMountTargets"
],
"Resource": "acs:nas:*:*:filesystem/*"
},
{
"Effect": "Allow",
"Action": "nas:CreateMountTarget",
"Resource": [
"acs:nas:*:*:filesystem/*",
"acs:vpc:*:*:vswitch/*"
]
},
{
"Effect": "Allow",
"Action": [
"nas:CreateAccessGroup",
"nas:CreateAccessRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:CreateProject",
"log:GetProject"
],
"Resource": [
"acs:log:*:*:project/*-logproject",
"acs:log:*:*:project/*-project",
"acs:log:*:*:project/aliyun-serverless-*",
"acs:log:*:*:project/serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"log:CreateLogStore",
"log:GetLogStore",
"log:CreateIndex",
"log:GetIndex",
"log:DeleteLogStore",
"log:DeleteIndex"
],
"Resource": [
"acs:log:*:*:project/*-logproject/logstore/*",
"acs:log:*:*:project/*-project/logstore/*",
"acs:log:*:*:project/aliyun-serverless-*/logstore/*",
"acs:log:*:*:project/serverless-*/logstore/*"
]
},
{
"Effect": "Allow",
"Action": "fc:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:GetEtlJob",
"log:UpdateEtlJob",
"log:CreateEtlJob",
"log:DeleteEtlJob"
],
"Resource": "acs:log:*:*:*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": [
"log.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"cdn:UpdateFCTrigger",
"cdn:DeleteFCTrigger",
"cdn:DescribeFCTrigger",
"cdn:AddFCTrigger"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ots:GetTrigger",
"ots:CreateTrigger",
"ots:DeleteTrigger"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": [
"ots.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"mns:Subscribe",
"mns:Unsubscribe",
"mns:GetSubscriptionAttributes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eventbridge:CreateEventBus",
"eventbridge:UpdateEventBus",
"eventbridge:GetEventBus",
"eventbridge:DeleteEventBus",
"eventbridge:CreateRule",
"eventbridge:GetRule",
"eventbridge:UpdateRule",
"eventbridge:EnableRule",
"eventbridge:DisableRule",
"eventbridge:DeleteRule",
"eventbridge:ListRules",
"eventbridge:DeleteTargets",
"eventbridge:ListTargets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:UpdateIndex",
"log:UpdateLogStore"
],
"Resource": [
"acs:log:*:*:project/aliyun-serverless-*/logstore/default-logs",
"acs:log:*:*:project/serverless-*/logstore/default-logs"
]
},
{
"Effect": "Allow",
"Action": [
"log:CreateDashboard",
"log:UpdateDashboard"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:CreateSavedSearch",
"log:UpdateSavedSearch"
],
"Resource": [
"acs:log:*:*:project/aliyun-serverless-*/savedsearch/*",
"acs:log:*:*:project/serverless-*/savedsearch/*"
]
}
]
}AliyunDevsRDSServicesDeployPolicy
AliyunDevsRDSServicesDeployPolicy includes the permissions required to deploy database services, such as PostgreSQL and MySQL. The policy content is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:CreateAccount",
"rds:CreateDatabase",
"rds:CreateDBInstance",
"rds:DescribeAccounts",
"rds:DescribeAvailableClasses",
"rds:DescribeAvailableZones",
"rds:DescribeDatabases",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstances",
"rds:DescribePostgresExtensions",
"rds:CreatePostgresExtensions",
"rds:DeleteDBInstance",
"rds:GrantAccountPrivilege"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunDevsFnFServicesDeployPolicy
AliyunDevsFnFServicesDeployPolicy includes the permissions required to deploy flow services. The policy content is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"fnf:DescribeFlow",
"fnf:UpdateFlow",
"fnf:CreateFlow",
"fnf:ListSchedules",
"fnf:DeleteSchedule",
"fnf:DeleteFlow"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunDevsRedisServicesDeployPolicy
AliyunDevsRedisServicesDeployPolicy includes the permissions required to deploy Redis database services. The policy content is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"kvstore:CreateAccount",
"kvstore:CreateInstance",
"kvstore:DescribeInstances",
"kvstore:DescribeAvailableResource",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeAvailableClasses",
"kvstore:DescribeAccounts",
"kvstore:ModifySecurityIps",
"kvstore:DeleteInstance"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunDevsDefaultRole
The Function AI native application development platform assumes the AliyunDevsDefaultRole to perform platform functions that require access to other Alibaba Cloud products. These functions involve managing your cloud resources, such as Function Compute (FC), Object Storage Service (OSS), and Apsara File Storage NAS (NAS). Examples include the following:
Creating helper functions in your account for the self-hosted GitLab integration.
Reading from and writing to OSS buckets in your account for the deployment task cache.
Mounting NAS file systems in your account for model downloads.
The trusted entity for the AliyunDevsDefaultRole is the Cloud-native Application Development Platform.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"devs.aliyuncs.com"
]
}
}
],
"Version": "1"
}The policy content is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:GetFunction",
"fc:CreateFunction",
"fc:UpdateFunction",
"fc:DeleteFunction",
"fc:ListFunctions",
"fc:InvokeFunction",
"fc:GetProvisionConfig",
"fc:PutProvisionConfig",
"fc:DeleteProvisionConfig",
"fc:ListProvisionConfigs",
"fc:GetFunctionAsyncInvokeConfig",
"fc:ListFunctionAsyncInvokeConfigs",
"fc:DeleteFunctionAsyncInvokeConfig",
"fc:PutFunctionAsyncInvokeConfig",
"fc:ListConcurrencyConfigs",
"fc:DeleteConcurrencyConfig",
"fc:PutConcurrencyConfig",
"fc:GetConcurrencyConfig",
"fc:CreateTrigger",
"fc:UpdateTrigger",
"fc:GetTrigger",
"fc:DeleteTrigger",
"fc:ListTriggers",
"fc:ListInstances",
"fc:ListVpcBindings",
"fc:CreateVpcBinding",
"fc:DeleteVpcBinding",
"fc:GetFunctionOnDemandConfig",
"fc:ListOnDemandConfigs",
"fc:DeleteFunctionOnDemandConfig",
"fc:PutFunctionOnDemandConfig"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"fc:GetService",
"fc:CreateService",
"fc:UpdateService",
"fc:DeleteService",
"fc:ListServices",
"fc:DeleteFunction",
"fc:UpdateFunction",
"fc:GetFunction",
"fc:CreateFunction",
"fc:GetStatefulAsyncInvocation",
"fc:PutFunctionAsyncInvokeConfig",
"fc:InvokeFunction"
],
"Effect": "Allow",
"Resource": "acs:fc:*:*:services/_appcenter*"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "fc.aliyuncs.com"
}
}
},
{
"Action": [
"devs:ListTasks",
"devs:GetPipeline",
"devs:PutPipelineStatus",
"devs:GetPipelineTemplate",
"devs:CreateTask",
"devs:GetTask",
"devs:PutTaskStatus",
"devs:GetTaskTemplate",
"devs:StartTask"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:InitiateMultipartUpload",
"oss:UploadPart",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:PutObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "vpc:DescribeVSwitchAttributes",
"Resource": "*"
}
]
}Roles required for template deployments
When you initialize a project from certain templates, the following roles are used to access other cloud resources. The following table describes these roles.
Role | Description |
AliyunServiceRolePolicyForRdsPgsqlOnEcs | RDS uses this role to access your resources in other cloud products. |
AliyunFnFExecutionRole | Function Flow uses this role to access cloud resources within a flow. |
AliyunOSSEventNotificationRole | OSS uses this role to send event notifications and trigger function calls. |
AliyunServiceRoleForFC | Grants Function Compute permissions to access cloud resources such as Virtual Private Cloud (VPC), Elastic Compute Service (ECS), Simple Log Service (SLS), and Container Registry. |
AliyunFCDefaultRole | Grants Function Compute permissions to access more cloud resources. |