Access policies and examples-阿里云帮助中心

Function Compute uses Resource Access Management (RAM) for permission management. With RAM, you can avoid sharing your AccessKey, which consists of an AccessKey ID and an AccessKey secret. This lets you grant least privilege permissions to RAM users as needed. This topic describes the access policies for Function Compute, including system policies and custom policies, and provides examples of custom policies.

Policy types

In RAM, an access policy is a collection of permissions that is described using a specific syntax and structure. It precisely defines the authorized resource set, action set, and conditions. Function Compute supports the following types of access policies:

System policies: These policies are created and maintained by Alibaba Cloud. You can use these policies, but you cannot modify them.
Custom policies: You can create, update, and delete these policies. You are responsible for maintaining all updates to these policies.

System policies

When a RAM user logs on to the Function Compute console for the first time, the parent Alibaba Cloud account must grant the RAM user system policies to access Function Compute and other Alibaba Cloud services. After the authorization is successful, the RAM user can access these services.

System policies include the following types:

System policies provided by Function Compute.

Policy Name	Description
AliyunFCReadOnlyAccess	Grants read-only permissions on all Function Compute resources.
AliyunFCInvocationAccess	Grants permissions to invoke all functions.
AliyunFCFullAccess	Grants full permissions on all Function Compute resources.

Note

The AliyunFCFullAccess policy, which grants administrative permissions for Function Compute, includes the permissions from both the AliyunFCInvocationAccess (invoke functions) and AliyunFCReadOnlyAccess (read-only access) policies. After you attach the AliyunFCFullAccess policy, you do not need to attach the other two policies.

System policies provided by other Alibaba Cloud services.

Cloud Product Name	System Policy
Simple Log Service (SLS)	AliyunLogReadOnlyAccess: Grants read-only permissions on Simple Log Service. AliyunLogFullAccess: Grants administrative permissions for Simple Log Service. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunLogReadOnlyAccess policy to access Simple Log Service.
Object Storage Service (OSS)	AliyunOSSReadOnlyAccess: Grants read-only permissions on Object Storage Service (OSS). AliyunOSSFullAccess: Grants administrative permissions for OSS.
Cloud Monitor	AliyunCloudMonitorReadOnlyAccess: Grants read-only permissions on Cloud Monitor.
Certificate Service	AliyunYundunCertReadOnlyAccess: Grants read-only permissions on Certificate Service.
Virtual Private Cloud (VPC)	AliyunVPCReadOnlyAccess: Grants read-only permissions on VPC.
Elastic Compute Service (ECS)	AliyunECSReadOnlyAccess: Grants read-only permissions on ECS.
Resource Access Management (RAM)	AliyunRAMReadOnlyAccess: Grants read-only permissions on RAM. This includes permissions to view users, groups, and authorization information. AliyunRAMFullAccess: Grants administrative permissions for RAM. This includes permissions to manage users and authorizations. Note The AliyunRAMReadOnlyAccess policy only applies to getting the list of roles in the console. If a RAM user needs to perform other operations, you must grant the RAM user administrative permissions for RAM using the AliyunRAMFullAccess policy.
Application Real-Time Monitoring Service (ARMS)	AliyunARMSReadOnlyAccess: Grants read-only permissions on ARMS. AliyunARMSFullAccess: Grants administrative permissions for ARMS. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunARMSReadOnlyAccess policy to access ARMS.
Simple Message Queue (formerly MNS)	AliyunMNSReadOnlyAccess: Grants read-only permissions on Simple Message Queue (formerly MNS). AliyunMNSFullAccess: Grants administrative permissions for Simple Message Queue (formerly MNS). Note Based on the principle of least privilege, you only need to grant the RAM user the read-only access permission to Simple Message Queue (formerly MNS), which is AliyunMNSReadOnlyAccess, to allow access to Simple Message Queue (formerly MNS).
EventBridge	AliyunEventBridgeReadOnlyAccess: Grants read-only permissions on EventBridge. AliyunEventBridgeFullAccess: Grants administrative permissions for EventBridge. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunEventBridgeReadOnlyAccess policy to access EventBridge.
Message Queue for Apache RocketMQ	AliyunMQReadOnlyAccess: Grants read-only permissions on Message Queue. AliyunMQFullAccess: Grants administrative permissions for Message Queue. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunMQReadOnlyAccess policy to access Message Queue for Apache RocketMQ.
Container Registry (ACR)	AliyunContainerRegistryReadOnlyAccess: Grants read-only permissions on Container Registry. AliyunContainerRegistryFullAccess: Grants administrative permissions for Container Registry. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunContainerRegistryReadOnlyAccess policy to access Container Registry.
File Storage NAS	AliyunNASReadOnlyAccess: Grants permissions to view File Storage NAS. AliyunNASFullAccess: Grants administrative permissions for File Storage NAS. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunNASReadOnlyAccess policy to access File Storage NAS.
ApsaraDB RDS	AliyunRDSReadOnlyAccess: Grants read-only permissions on ApsaraDB RDS. AliyunRDSFullAccess: Grants administrative permissions for ApsaraDB RDS. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunRDSReadOnlyAccess policy to access ApsaraDB RDS.
Apsara Devops	AliyunRDCReadOnlyAccess: Grants read-only permissions on Apsara Devops RDC. AliyunRDCFullAccess: Grants administrative permissions for Apsara Devops RDC. Note Based on the principle of least privilege, you only need to grant the RAM user the AliyunRDCReadOnlyAccess policy to access Apsara Devops RDC.

Important

If a RAM user cannot update a trigger after you grant trigger-related permissions, such as the AliyunOSSFullAccess policy for OSS, you must also attach the following custom policy to the RAM user. After the policy is attached, the RAM user can update OSS triggers.

 {
        "Statement": [
            {
                "Action": [
                    "ram:PassRole"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ],
        "Version": "1"
    }

Custom policies

In addition to the system policies provided by Function Compute, you can create custom policies for more fine-grained permission management. For more information about the basic elements of an access policy, see Basic elements of an access policy.

Resource	Action	Description
acs:fc:<region>:<account-id>:services/<serviceName>	fc:GetService	A specific service resource.
	fc:UpdateService
	fc:DeleteService
acs:fc:<region>:<account-id>:services/*	fc:CreateService	All service resources.
acs:fc:<region>:<account-id>:services/*	fc:ListServices	All service resources.
acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>	fc:GetService	A specific version of a service resource.
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>	fc:GetFunction	A specific function resource in a specific service.
	fc:UpdateFunction
	fc:DeleteFunction
	fc:InvokeFunction
acs:fc:<region>:<account-id>:services/<serviceName>/functions/*	fc:CreateFunction	All function resources in a specific service.
	fc:ListFunctions	All function resources in a specific service.
acs:fc:<region>:<account-id>:services/<serviceName>.*/functions/<functionName>	fc:GetFunction	All function resources in all versions of a specific service.
	fc:UpdateFunction
	fc:DeleteFunction
	fc:InvokeFunction
	fc:PutProvisionConfig
	fc:GetProvisionConfig
	fc:PutFunctionOnDemandConfig
	fc:DeleteFunctionOnDemandConfig
	fc:PutFunctionAsyncInvokeConfig
	fc:DeleteFunctionAsyncInvokeConfig
	fc:GetFunctionAsyncInvokeConfig
	fc:GetFunctionOnDemandConfig
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/<triggerName>	fc:GetTrigger	A specific trigger resource for a specific function in a specific service.
	fc:UpdateTrigger
	fc:DeleteTrigger
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/triggers/*	fc:CreateTrigger	All trigger resources for a specific function in a specific service.
	fc:ListTriggers
acs:fc:<region>:<account-id>:services/<serviceName>/versions	fc:PublishServiceVersion	All versions.
	fc:ListServiceVersions	All versions.
acs:fc:<region>:<account-id>:services/<serviceName>/versions/<versionId>	fc:DeleteServiceVersion	A specific version.
acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*	fc:CreateAlias	All aliases.
	fc:ListAliases	All aliases.
acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>	fc:GetAlias	You can specify an alias.
	fc:UpdateAlias
	fc:DeleteAlias
acs:fc:<region>:<account-id>:custom-domains/*	fc:CreateCustomDomain	All custom domain names.
acs:fc:<region>:<account-id>:custom-domains/*	fc:ListCustomDomains	All custom domain names.
acs:fc:<region>:<account-id>:custom-domains/<domainName>	fc:GetCustomDomain	A specific custom domain name.
	fc:UpdateCustomDomain
	fc:DeleteCustomDomain
acs:fc:<region>:<account-id>:tag	fc:TagResource	A single tag.
	fc:GetResourceTags
	fc:UnTagResource
acs:fc:<region>:<account-id>:tags/*	fc:ListTaggedResources	All tags.
acs:fc:<region>:<account-id>:account-settings/*	fc:GetAccountSettings	User settings.
acs:fc:<region>:<account-id>:layerarn/<arn>	fc:GetLayerVersionByArn	All layers.
acs:fc:<region>:<account-id>:layers/*	fc:ListLayers
acs:fc:<region>:<account-id>:layers/<layerName>/versions/<versionId>	fc:PublishLayerAsPublic
acs:fc:<region>:<account-id>:layers/<layerName>/versions/*	fc:ListLayerVersions	All layer versions.
acs:fc:<region>:<account-id>:layers/<layerName>/versions/*	fc:CreateLayerVersion
acs:fc:<region>:<account-id>:layers/<layerName>/versions/<versionId>	fc:GetLayerVersion
	fc:DeleteLayerVersion
acs:fc:<region>:<account-id>:on-demand-configs/*	fc:ListOnDemandConfigs	On-demand instance configuration.
acs:fc:<region>:<account-id>:provision-configs/*	fc:ListProvisionConfigs	Provisioned instance configuration.
acs:fc:<region>:<account-id>:services/<serviceName>/binding	fc:DeleteVpcBinding	VPC binding.
acs:fc:<region>:<account-id>:services/<serviceName>/binding/*	fc:CreateVpcBinding
	fc:ListVpcBindings
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/async-invoke-configs/*	fc:ListFunctionAsyncInvokeConfigs	Asynchronous invocation configuration.
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/code	fc:GetFunctionCode	All function code.
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/stateful-async-invocations/*	fc:ListStatefulAsyncInvocations	Asynchronous task.
acs:fc:<region>:<account-id>:services/<serviceName>/functions/<functionName>/stateful-async-invocations/<invocationId>	fc:GetStatefulAsyncInvocation
	fc:StopStatefulAsyncInvocation

For example, to grant permissions to invoke the demo function in the test service in the China (Hangzhou) region, you can use a custom policy. The following code shows an example policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction"
            ],
            "Resource": "acs:fc:cn-hangzhou:*:services/test/functions/demo",
            "Effect": "Allow"
        }
    ]
}

Access policy examples

Custom policy to create and get services and to create and execute functions

{
"Version":"1",
"Statement":[
{
"Action":[
"fc:CreateService",
"fc:GetService",
"fc:CreateFunction",
"fc:GetFunction",
"fc:InvokeFunction"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"ram:PassRole"
],
"Effect":"Allow",
"Resource":"*"
}
]
}

Custom policy to access logs

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:ListProject",
                "log:ListLogStore"
            ],
            "Resource": "acs:log:*:*:project/*"
        }
    ]
}

Custom policy to access OSS triggers

{
  "Statement": [
    {
      "Action": [
        "oss:ListBucket",
        "oss:GetBucketEventNotification",
        "oss:PutBucketEventNotification",
        "oss:DeleteBucketEventNotification"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Custom policy to deny the creation of services with public network access

{
  "Version": "1",
  "Statement": [
    {
      "Action": "fc:UpdateService",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "fc:EnableServiceInternetAccess": "true"
        }
      }
    },
    {
      "Action": "fc:CreateService",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "fc:EnableServiceInternetAccess": "false"
        }
      }
    }
  ]
}

Custom policy to deny the creation of services with logging disabled

{
  "Version": "1",
  "Statement": [
    {
      "Action": "fc:UpdateService",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "fc:EnableServiceSLSLogging": "false"
        }
      }
    },
    {
      "Action": "fc:CreateService",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "fc:EnableServiceSLSLogging": "true"
        }
      }
    }
  ]
}

Custom policy to deny the creation of triggers with public network access

{
  "Version": "1",
  "Statement": [
    {
      "Action": "fc:UpdateTrigger",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "fc:EnableHTTPTriggerAnonymous": "true"
        }
      }
    },
    {
      "Action": "fc:CreateTrigger",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "fc:EnableHTTPTriggerAnonymous": "true"
        }
      }
    }
  ]
}