This topic describes the permissions that a RAM user requires to use Serverless Workflow and explains how to configure a user access policy.
Background information
You can skip this topic if you log on to the console using your Alibaba Cloud account or a RAM user that has AdministratorAccess permissions. If the RAM user has limited permissions, follow the steps in this topic to configure an access policy.
Procedure
- In Policy Management in the RAM console, click Create Policy. Use the following JSON to create an authorization policy named FnFRAMUserPolicy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "*" }, { "Action": "fc:*", "Resource": "*", "Effect": "Allow" }, { "Action": "fnf:*", "Resource": "*", "Effect": "Allow" }, { "Action": "oss:*", "Resource": "acs:oss:*:*:fun-gen-*", "Effect": "Allow" }, { "Action": "ros:*", "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "ram:CreateRole", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:GetPolicy", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:CreatePolicy", "Resource": "acs:ram:*:*:policy/*" }, { "Effect": "Allow", "Action": "ram:DeletePolicy", "Resource": [ "acs:ram:*:*:policy/fnf-sample*" ] }, { "Effect": "Allow", "Action": "ram:AttachPolicyToRole", "Resource": [ "acs:ram:*:*:role/fnf-sample*", "acs:ram:*:*:role/fnf-execution-default-role*", "acs:ram:*:*:policy/fnf-sample*", "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess", "acs:ram:*:system:policy/AliyunFCInvocationAccess", "acs:ram:*:system:policy/AliyunFnFFullAccess", "acs:ram:*:system:policy/AliyunMNSFullAccess" ] }, { "Effect": "Allow", "Action": "ram:DetachPolicyFromRole", "Resource": [ "acs:ram:*:*:role/fnf-sample*", "acs:ram:*:*:role/fnf-execution-default-role*", "acs:ram:*:*:policy/fnf-sample*", "acs:ram:*:system:policy/AliyunECSNetworkInterfaceManagementAccess", "acs:ram:*:system:policy/AliyunFCInvocationAccess", "acs:ram:*:system:policy/AliyunFnFFullAccess", "acs:ram:*:system:policy/AliyunMNSFullAccess" ] }, { "Effect": "Allow", "Action": "ram:ListRoles", "Resource": "acs:ram:*:*:role/*" }, { "Effect": "Allow", "Action": "ram:GetRole", "Resource": "acs:ram:*:*:role/*" }, { "Effect": "Allow", "Action": "ram:DeleteRole", "Resource": [ "acs:ram:*:*:role/fnf-sample*" ] }, { "Effect": "Allow", "Action": "ram:ListPoliciesForRole", "Resource": "acs:ram:*:*:role/*" } ] } - In User Management in the RAM console, select the RAM user for Serverless Workflow and attach the authorization policy that you created in the previous step.Note
- The permissions in this policy apply to basic operations. If you encounter permission errors when you use application templates or sample projects in the console that involve additional cloud resources, you must add the required permissions to the RAM user.
- To control permission granularity, the policy grants permissions for sensitive RAM operations, such as AttachPolicyToRole, only on roles and policies that have the `fnf-sample` or `fnf-execution-default-role` prefix. If you change the sample project name or the default name in the application center, you must modify the policy content accordingly.
该文章对您有帮助吗?