快速授权创建RAM角色

本文介绍使用云原生应用开发平台Funciton AI创建服务和通过模板部署应用所需的RAM 角色。首次登录Function AI控制台时,需要根据提示快速授权创建以下RAM角色。

AliyunDevsCustomRole

AliyunDevsCustomRole 是用于部署服务时使用的默认角色,云原生应用开发平台通过扮演该角色帮助用户部署项目包含的云资源, 因此,需要用户授信云原生应用开发平台相关的云产品权限,从而实现服务的顺利部署。

AliyunDevsCustomRole这个角色的授信体是云原生应用开发平台。

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "devs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

用户第一次登录云原生应用开发平台,会引导用户完成授权。根据部署的不同服务类型,授权的系统权限策略有AliyunDevsFCServicesDeployPolicy、AliyunDevsRDSServicesDeployPolicy、AliyunDevsFnFServicesDeployPolicy、AliyunDevsRedisServicesDeployPolicy。各权限策略支撑部署的服务类型如下表所示:

权限策略

服务类型

AliyunDevsFCServicesDeployPolicy

函数服务、Web服务、模型服务、MCP服务、异步任务服务和文生图应用

AliyunDevsRDSServicesDeployPolicy

数据库-RDS服务(PostgreSQLMySQL)

AliyunDevsFnFServicesDeployPolicy

流程服务

AliyunDevsRedisServicesDeployPolicy

数据库-Redis服务

AliyunDevsFCServicesDeployPolicy

AliyunDevsFCServicesDeployPolicy涵盖了部署函数类型服务,包括函数服务、Web服务、模型服务、MCP服务、异步任务服务和文生图应用等所需权限策略,其权限策略的具体内容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "devs:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:CreateVpc",
        "vpc:CreateVSwitch",
        "vpc:ModifyVpcAttribute",
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs",
        "ecs:AuthorizeSecurityGroup",
        "ecs:CreateSecurityGroup",
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeVpcAttribute",
        "vpc:DescribeVSwitchAttributes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:AbortMultipartUpload",
        "oss:GetBucketAcl",
        "oss:GetBucketInfo",
        "oss:GetBucketStat",
        "oss:PutBucket",
        "oss:ListObjectVersions",
        "oss:ListParts",
        "oss:ListMultipartUploads",
        "oss:GetBucketEventNotification",
        "oss:PutBucketEventNotification",
        "oss:DeleteBucketEventNotification",
        "oss:GetObject",
        "oss:PutObject"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "oss:ListObjects",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "oss:Prefix": [
            "cache-home/*"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "nas:CreateFileSystem",
        "nas:DeleteFileSystem",
        "nas:DescribeFileSystems",
        "nas:ModifyFileSystem",
        "nas:DeleteMountTarget",
        "nas:ModifyMountTarget",
        "nas:DescribeMountTargets"
      ],
      "Resource": "acs:nas:*:*:filesystem/*"
    },
    {
      "Effect": "Allow",
      "Action": "nas:CreateMountTarget",
      "Resource": [
        "acs:nas:*:*:filesystem/*",
        "acs:vpc:*:*:vswitch/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "nas:CreateAccessGroup",
        "nas:CreateAccessRule"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateProject",
        "log:GetProject"
      ],
      "Resource": [
        "acs:log:*:*:project/*-logproject",
        "acs:log:*:*:project/*-project",
        "acs:log:*:*:project/aliyun-serverless-*",
        "acs:log:*:*:project/serverless-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateLogStore",
        "log:GetLogStore",
        "log:CreateIndex",
        "log:GetIndex",
        "log:DeleteLogStore",
        "log:DeleteIndex"
      ],
      "Resource": [
        "acs:log:*:*:project/*-logproject/logstore/*",
        "acs:log:*:*:project/*-project/logstore/*",
        "acs:log:*:*:project/aliyun-serverless-*/logstore/*",
        "acs:log:*:*:project/serverless-*/logstore/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "fc:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:GetEtlJob",
        "log:UpdateEtlJob",
        "log:CreateEtlJob",
        "log:DeleteEtlJob"
      ],
      "Resource": "acs:log:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "log.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "cdn:UpdateFCTrigger",
        "cdn:DeleteFCTrigger",
        "cdn:DescribeFCTrigger",
        "cdn:AddFCTrigger"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ots:GetTrigger",
        "ots:CreateTrigger",
        "ots:DeleteTrigger"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "ots.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "mns:Subscribe",
        "mns:Unsubscribe",
        "mns:GetSubscriptionAttributes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "eventbridge:CreateEventBus",
        "eventbridge:UpdateEventBus",
        "eventbridge:GetEventBus",
        "eventbridge:DeleteEventBus",
        "eventbridge:CreateRule",
        "eventbridge:GetRule",
        "eventbridge:UpdateRule",
        "eventbridge:EnableRule",
        "eventbridge:DisableRule",
        "eventbridge:DeleteRule",
        "eventbridge:ListRules",
        "eventbridge:DeleteTargets",
        "eventbridge:ListTargets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:UpdateIndex",
        "log:UpdateLogStore"
      ],
      "Resource": [
        "acs:log:*:*:project/aliyun-serverless-*/logstore/default-logs",
        "acs:log:*:*:project/serverless-*/logstore/default-logs"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateDashboard",
        "log:UpdateDashboard"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch"
      ],
      "Resource": [
        "acs:log:*:*:project/aliyun-serverless-*/savedsearch/*",
        "acs:log:*:*:project/serverless-*/savedsearch/*"
      ]
    }
  ]
}

AliyunDevsRDSServicesDeployPolicy

AliyunDevsRDSServicesDeployPolicy涵盖了部署数据库服务,包括PostgreSQLMySQL所需权限策略,其权限策略的具体内容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:CreateAccount",
        "rds:CreateDatabase",
        "rds:CreateDBInstance",
        "rds:DescribeAccounts",
        "rds:DescribeAvailableClasses",
        "rds:DescribeAvailableZones",
        "rds:DescribeDatabases",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstances",
        "rds:DescribePostgresExtensions",
        "rds:CreatePostgresExtensions",
        "rds:DeleteDBInstance",
        "rds:GrantAccountPrivilege"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

AliyunDevsFnFServicesDeployPolicy

AliyunDevsFnFServicesDeployPolicy涵盖了部署流程服务所需权限策略,其权限策略的具体内容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "fnf:DescribeFlow",
        "fnf:UpdateFlow",
        "fnf:CreateFlow",
        "fnf:ListSchedules",
        "fnf:DeleteSchedule",
        "fnf:DeleteFlow"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

AliyunDevsRedisServicesDeployPolicy

AliyunDevsRedisServicesDeployPolicy涵盖了部署数据库服务Redis所需权限策略,其权限策略的具体内容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "kvstore:CreateAccount",
        "kvstore:CreateInstance",
        "kvstore:DescribeInstances",
        "kvstore:DescribeAvailableResource",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeAvailableClasses",
        "kvstore:DescribeAccounts",
        "kvstore:ModifySecurityIps",
        "kvstore:DeleteInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

AliyunDevsDefaultRole

云原生应用开发平台通过扮演 AliyunDevsDefaultRole,完成依赖其他云产品的平台功能,这些平台功能涉及用户FC、OSSNAS等云资源的管控,例如:

  1. 绑定代码仓库的自建GitLab能力中,用户账号下辅助函数的创建。

  2. 部署任务缓存能力中,用户账号下的OSS Bucket内容读写。

  3. 模型下载能力中,用户账号下的 NAS 挂载。

AliyunDevsDefaultRole角色的授信体是云原生应用开发平台。

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "devs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

其中策略内容详细如下:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "fc:GetFunction",
        "fc:CreateFunction",
        "fc:UpdateFunction",
        "fc:DeleteFunction",
        "fc:ListFunctions",
        "fc:InvokeFunction",
        "fc:GetProvisionConfig",
        "fc:PutProvisionConfig",
        "fc:DeleteProvisionConfig",
        "fc:ListProvisionConfigs",
        "fc:GetFunctionAsyncInvokeConfig",
        "fc:ListFunctionAsyncInvokeConfigs",
        "fc:DeleteFunctionAsyncInvokeConfig",
        "fc:PutFunctionAsyncInvokeConfig",
        "fc:ListConcurrencyConfigs",
        "fc:DeleteConcurrencyConfig",
        "fc:PutConcurrencyConfig",
        "fc:GetConcurrencyConfig",
        "fc:CreateTrigger",
        "fc:UpdateTrigger",
        "fc:GetTrigger",
        "fc:DeleteTrigger",
        "fc:ListTriggers",
        "fc:ListInstances",
        "fc:ListVpcBindings",
        "fc:CreateVpcBinding",
        "fc:DeleteVpcBinding",
        "fc:GetFunctionOnDemandConfig",
        "fc:ListOnDemandConfigs",
        "fc:DeleteFunctionOnDemandConfig",
        "fc:PutFunctionOnDemandConfig"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "fc:GetService",
        "fc:CreateService",
        "fc:UpdateService",
        "fc:DeleteService",
        "fc:ListServices",
        "fc:DeleteFunction",
        "fc:UpdateFunction",
        "fc:GetFunction",
        "fc:CreateFunction",
        "fc:GetStatefulAsyncInvocation",
        "fc:PutFunctionAsyncInvokeConfig",
        "fc:InvokeFunction"
      ],
      "Effect": "Allow",
      "Resource": "acs:fc:*:*:services/_appcenter*"
    },
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "fc.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "devs:ListTasks",
        "devs:GetPipeline",
        "devs:PutPipelineStatus",
        "devs:GetPipelineTemplate",
        "devs:CreateTask",
        "devs:GetTask",
        "devs:PutTaskStatus",
        "devs:GetTaskTemplate",
        "devs:StartTask"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:PutObject"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "vpc:DescribeVSwitchAttributes",
      "Resource": "*"
    }
  ]
}

模板部署所需角色

在使用某些模板初始化项目时,会使用以下角色访问其他云资源。这些角色的描述如下:

角色

描述

AliyunServiceRolePolicyForRdsPgsqlOnEcs

关系型数据库使用此角色来访问您在其他云产品中的资源。

AliyunFnFExecutionRole

流程服务使用此角色访问流程中的云资源。

AliyunOSSEventNotificationRole

OSS使用此角色发送事件通知和触发调用函数。

AliyunServiceRoleForFC

授权函数访问专有网络 VPC、云服务器 ECS、日志服务 SLS(Simple Log Service)和容器镜像服务等云资源的权限。

AliyunFCDefaultRole

授权函数访问更多其他云资源。