DocsICP FilingConsole
官方文档
首页

Configure resource groups

更新时间:
复制 MD 格式
产品详情
我的收藏

Use resource groups to organize your Function Compute (FC) resources for more efficient management. Resource groups allow you to group resources by dimensions such as department, project, or environment. Combined with Resource Access Management (RAM), resource groups help you isolate resources and implement fine-grained permission management within a single Alibaba Cloud account.

Use cases

An enterprise uses a single Alibaba Cloud account to create multiple functions. It needs to authorize different teams to access specific groups of functions. The enterprise wants to ensure that each team can view and manage only the functions they are authorized for.

For example:

  • The development team can manage only functions related to the development environment.

  • The operations team can manage only functions related to the production environment.

Benefits

Using resource groups to grant permissions on functions provides the following benefits:

  • Simplified permission management: Manage permissions for multiple functions centrally through resource groups, eliminating the need to grant permissions for each function individually.

  • Clear resource organization: Resource groups provide an intuitive view of your resources, simplifying management and maintenance.

  • Flexible access control: Provides fine-grained, resource group-based access control.

  • Secure isolation: Each team can access only its authorized resource groups, ensuring resource isolation.

Usage notes

  • A resource group can contain resources from different regions.

  • If you do not specify a resource group when you create a resource, the resource is added to the default resource group.

  • A function's sub-resources, such as an alias, trigger, or asynchronous configuration, inherit the function's access control rules.

  • A RAM user must select the correct resource group in the console to view and manage the corresponding functions.

  • Ensure that the region selected by the RAM user matches the region of the functions in the resource group.

Procedure

This example shows how to create a resource group for a development team and grant them permissions to view and manage only specified functions.

Step 1: Create a RAM user and group

Use your Alibaba Cloud account to complete the following steps:

  1. Log on to the RAM console to create a RAM user, such as developer.

    For more information, see Create a RAM user.

  2. Create a RAM user group, such as developer, and add the created RAM user to this group.

    For more information, see Create a RAM user group and Add a RAM user to a RAM user group.

Note

A RAM user inherits all permissions from the RAM user groups to which it belongs.

Step 2: Create a resource group

Log on to the Resource Management console and create a resource group, such as dev. For more information, see Create a resource group.

Step 3: Add functions to the resource group

You can add a function to a resource group when you create the function. For more information, see Create a function. To add an existing function to a resource group, follow these steps:

  1. Log on to the Function Compute console. In the left-side navigation pane, click Functions.

  2. In the top navigation bar, select a region. On the Functions page, click the function that you want to manage.

  3. On the function details page, click the Configuration tab. In the Advanced Settings > More Configurations section, click the image icon next to the resource group.

  4. In the Modify Resource Group dialog box, select the resource group that you created in Step 2, and then click Confirm.

Alternatively, you can add functions to a resource group from the Resource Management console. For more information, see Manage resources in a resource group.

Step 4: Grant permissions to the user group

  1. Log on to the RAM console. In the left-side navigation pane, choose . In the Actions column for the target user group, click Add Permissions.

  2. In the Attach Policy panel, set Scope to Resource Group, select the target resource group, select a policy such as AliyunFCFullAccess in the Policy section, and then click OK.

    Important

    As a security best practice, follow the Principle of Least Privilege (PoLP). Create a custom policy that grants only the permissions required for the RAM user to perform their job. For more information, see Create a custom policy.

Step 5: Verify the result

  1. Log on to the Function Compute console as the RAM user. In the left-side navigation pane, choose Function Management > Functions.

    For information about how to log on to the console as a RAM user, see Log on to the Alibaba Cloud Management Console as a RAM user.

  2. In the top navigation bar, select the same region as the function from Step 3, and then select the dev resource group.

    The RAM user must select the corresponding resource group to view functions in the list. Otherwise, the list appears empty.

  3. On the Functions page, view and manage the functions within the selected resource group. Try switching to other resource groups to verify that you cannot view functions in resource groups you are not authorized to access.

Additional authorization configurations

Create a custom policy

For more fine-grained control over Function Compute resources like layers and custom domains, we recommend creating a custom policy for your RAM users. This approach aligns with the Principle of Least Privilege (PoLP).

  1. Log on to the RAM console with your Alibaba Cloud account and create a custom policy named FCPolicyForDevelopers using the following policy document.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:Get*",
        "log:List*",
        "log:Query*",
        "log:CreateProject",
        "log:CreateLogStore",
        "log:CreateIndex"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "fc:GetLayerVersionByArn",
        "fc:ListLayers",
        "fc:PutLayerACL",
        "fc:ListLayerVersions",
        "fc:CreateLayerVersion",
        "fc:DeleteLayerVersion",
        "fc:GetLayerVersion"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "fc:ListCustomDomains",
        "fc:GetCustomDomain",
        "fc:DeleteCustomDomain",
        "fc:UpdateCustomDomain",
        "fc:CreateCustomDomain"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:ListRoles",
      "Resource": "*"
    }
  ]
}

  2. Grant the FCPolicyForDevelopers custom policy to the developer RAM user group created in Step 1.

    For more information, see Grant permissions to a RAM user group.

Permissions for other Alibaba Cloud services

If your functions need to access other Alibaba Cloud services, you must also grant the required permissions for those services. Examples include the system policy AliyunLogFullAccess for Simple Log Service (SLS), AliyunOSSFullAccess for Object Storage Service (OSS), and AliyunNASFullAccess for File Storage NAS.

For more information, see Policies and examples.

Related documents

Previous:Configure tagsNext:Function invocation and triggers