授权RAM用户使用Function AI

本文介绍如何为RAM用户授予Function AI产品不同级别的权限策略。

前提条件

创建RAM用户

背景信息

您可以通过如下三种方式授予RAM用户使用Function AI的权限。

  • 系统权限策略:权限范围较大,用户无法修改系统权限策略的内容,但配置步骤简单。

  • 自定义权限策略:支持为所有RAM用户添加云服务级别的自定义权限策略,做更精细的权限控制,配置步骤比系统权限策略更复杂。

  • 资源级权限策略:支持为所有RAM用户添加粒度为项目(Project)的资源级权限策略,权限控制更精细,已授权RAM用户只能操作特定名称的项目资源。

若您想了解权限策略的更多信息,请参考权限策略基本元素权限策略判定流程

系统权限策略

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. RAM用户授予以下列表权限,具体操作请参见RAM用户授权

    权限策略

    描述

    AliyunRAMReadOnlyAccess

    访问控制 RAM(Resource Access Management)的只读访问权限,即查看用户、用户组以及授权信息的权限。FunctionAI需要此权限检测当前账号下的角色和相应权限信息。

    AliyunFCFullAccess

    管理函数计算(FC)服务的权限。图像生成功能需要此权限管理创建的函数资源。

    AliyunOSSReadOnlyAccess

    只读访问对象存储服务(OSS)的权限。需要此权限查看您在OSS上的文件列表,将相关文件部署至FunctionAI平台。

    AliyunLogReadOnlyAccess

    只读访问日志服务(Log)的权限。需要此权限查看您在FunctionAI上部署服务的日志信息。

    AliyunCloudMonitorReadOnlyAccess

    只读访问云监控(CloudMonitor)的权限。需要此权限查看您在FunctionAI上部署服务的监控指标信息。

    AliyunDevsFullAccess

    管理Function AI平台的权限。

    AliyunFnFFullAccess

    管理云工作流(CloudFlow)服务的权限,流程服务需要此功能管理创建的工作流资源。

    AliyunNASReadOnlyAccess

    只读访问文件存储服务(NAS)的权限,图像生成功能需要此权限获取您的NAS目录。

    AliyunVPCReadOnlyAccess

    只读访问专有网络(VPC)的权限,图像生成功能需要此权限获取您的VPC信息。

    AliyunECSReadOnlyAccess

    只读访问云服务器服务(ECS)的权限,图像生成功能需要此权限获取您的安全组相关信息。

    AliyunBSSReadOnlyAccess

    只读访问费用与成本(BSS)的权限,部署数据库相关服务需要此权限获取您的账户余额。

    AliyunRDSReadOnlyAccess

    只读访问云数据库服务(RDS)的权限,部署数据库服务需要此权限获取您的数据库部署信息。

    AliyunKvstoreReadOnlyAccess

    只读访问云数据库Tair(兼容 Redis)的权限,部署Redis需要此权限获取您的Redis部署信息。

    AliyunBailianControlFullAccess

    管理百炼(SFM)知识库的权限,流程服务需要此权限查询百炼知识库信息,并进行一键授权。

自定义权限策略

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. 创建自定义权限策略,在脚本编辑页签,修改策略内容为以下示例策略。

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ram:Get*",
            "ram:List*",
            "ram:GenerateCredentialReport"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "devs:*",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:PassRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": "devs.aliyuncs.com"
            }
          }
        },
        {
          "Action": "ram:PassRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": "fnf.aliyuncs.com"
            }
          }
        },
        {
          "Action": "fnf:*",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "bss:DescribeAcccount",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*",
            "log:Query*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:Get*",
            "oss:List*"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": [
            "cms:Get*",
            "cms:List*",
            "cms:Query*",
            "cms:Describe*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "fc:Get*",
            "fc:List*",
            "fc:PutConcurrencyConfig",
            "fc:DeleteConcurrencyConfig",
            "fc:PutProvisionConfig"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "vpc:Describe*",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "nas:Describe*",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ecs:DescribeSecurityGroup*",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "rds:DescribeDBInstances",
            "kvstore:DescribeInstances"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "bailiancontrol:ListWorkspaces",
            "bailiancontrol:CreateUser",
            "bailiancontrol:ListRoles",
            "bailiancontrol:ListUsers",
            "bailiancontrol:AttachWorkspaceToUser",
            "bailiancontrol:AttachRoleToUser",
            "sfm:ListIndex"
           ],
           "Resource": "*",
           "Effect": "Allow"
         }
      ]
    }
  3. RAM用户添加上一步创建的自定义权限策略。具体操作,请参见RAM用户授权

资源级权限策略

Function AI提供了粒度为项目(Project)级别的资源级鉴权策略。您可以按照如下配置,授权RAM用户访问特定名称的项目资源。

示例一:查看所有项目资源

查看所有项目资源,但只允许创建、更新、部署和删除特定名称的项目资源。

本示例演示为RAM用户授权查看所有Function AI项目,以及创建、更新、部署和删除以my-project为前缀的项目资源的权限。为方便RAM用户部署应用,策略中包含了上传代码包、解析变量、渲染模板以及刷新代码仓库绑定信息的权限。

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. 参考自定义权限策略的指引,创建自定义权限策略。将已有策略内容中的Funciton AI全量读写权限部分替换为以下资源级权限策略。

    Funciton AI全量读写权限

     {
          "Action": "devs:*",
          "Resource": "*",
          "Effect": "Allow"
        }

    替换为资源级权限策略

    {
                "Action": [
                    "devs:CreateProject",
                    "devs:DeleteProject",
                    "devs:UpdateProject"
                ],
                "Resource": "acs:devs:*:*:project/my-project*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:UpdateEnvironment",
                    "devs:PreviewEnvironment",
                    "devs:DeleteEnvironment",
                    "devs:CreateEnvironment",
                    "devs:DeployEnvironment",
                    "devs:ParseVariable"
                ],
                "Resource": "acs:devs:*:*:project/my-project*/environment/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:List*",
                    "devs:Get*",
                    "devs:CreateArtifact",
                    "devs:PutArtifact",
                    "devs:FetchArtifactTempBucketToken",
                    "devs:RenderServicesByTemplate",
                    "devs:RefreshConnection"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }

    单击展开查看最终替换后的权限策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ram:Get*",
                    "ram:List*",
                    "ram:GenerateCredentialReport"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:CreateProject",
                    "devs:DeleteProject",
                    "devs:UpdateProject"
                ],
                "Resource": "acs:devs:*:*:project/my-project*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:UpdateEnvironment",
                    "devs:PreviewEnvironment",
                    "devs:DeleteEnvironment",
                    "devs:CreateEnvironment",
                    "devs:DeployEnvironment",
                    "devs:ParseVariable"
                ],
                "Resource": "acs:devs:*:*:project/my-project*/environment/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:List*",
                    "devs:Get*",
                    "devs:CreateArtifact",
                    "devs:PutArtifact",
                    "devs:FetchArtifactTempBucketToken",
                    "devs:RenderServicesByTemplate",
                    "devs:RefreshConnection"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "devs.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                      "acs:Service": "fnf.aliyuncs.com"
                    }
                  }
            },
            {
                "Action": "fnf:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "bss:DescribeAcccount",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:Get*",
                    "log:List*",
                    "log:Query*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:Get*",
                    "oss:List*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "cms:Get*",
                    "cms:List*",
                    "cms:Query*",
                    "cms:Describe*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "fc:Get*",
                    "fc:List*",
                    "fc:PutConcurrencyConfig",
                    "fc:DeleteConcurrencyConfig",
                    "fc:PutProvisionConfig"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "vpc:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "nas:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ecs:DescribeSecurityGroup*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                  "rds:DescribeDBInstances",
                  "kvstore:DescribeInstances"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                  "bailiancontrol:ListWorkspaces",
                  "bailiancontrol:CreateUser",
                  "bailiancontrol:ListRoles",
                  "bailiancontrol:ListUsers",
                  "bailiancontrol:AttachWorkspaceToUser",
                  "bailiancontrol:AttachRoleToUser",
                  "sfm:ListIndex"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    
  3. RAM用户添加修改后的自定义权限策略。具体操作,请参见RAM用户授权

示例二:查看、创建、更新、部署和删除特定名称的项目资源

本示例演示为RAM用户授权查看、创建、更新、部署和删除以my-project为前缀的项目资源的权限。为方便RAM用户部署应用,策略包含了上传代码包、解析变量、渲染模板以及刷新代码仓库绑定信息的权限。

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. 参考自定义权限策略的指引,创建自定义权限策略。将已有策略内容中的Funciton AI全量读写权限替换为以下资源级权限策略。

    Funciton AI全量读写权限

    {
        "Action": "devs:*",
        "Resource": "*",
        "Effect": "Allow"
    }

    替换为资源级权限策略

    {
                "Action": [
                    "devs:CreateProject",
                    "devs:GetProject",
                    "devs:DeleteProject",
                    "devs:UpdateProject"
                ],
                "Resource": "acs:devs:*:*:project/my-project*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:GetEnvironment",
                    "devs:UpdateEnvironment",
                    "devs:PreviewEnvironment",
                    "devs:DeleteEnvironment",
                    "devs:CreateEnvironment",
                    "devs:DeployEnvironment",
                    "devs:GetVariableRefList",
                    "devs:ParseVariable",
                    "devs:GetVariableLinkedServices"
                ],
                "Resource": "acs:devs:*:*:project/my-project*/environment/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:List*",
                    "devs:GetArtifact",
                    "devs:CreateArtifact",
                    "devs:PutArtifact",
                    "devs:FetchArtifactTempBucketToken",
                    "devs:GetEnvironmentDeployment",
                    "devs:GetServiceDeployment",
                    "devs:GetTask",
                    "devs:RenderServicesByTemplate",
                    "devs:RefreshConnection"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }

    单击展开查看最终替换后的权限策略

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ram:Get*",
                    "ram:List*",
                    "ram:GenerateCredentialReport"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:CreateProject",
                    "devs:GetProject",
                    "devs:DeleteProject",
                    "devs:UpdateProject"
                ],
                "Resource": "acs:devs:*:*:project/my-project*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:GetEnvironment",
                    "devs:UpdateEnvironment",
                    "devs:PreviewEnvironment",
                    "devs:DeleteEnvironment",
                    "devs:CreateEnvironment",
                    "devs:DeployEnvironment",
                    "devs:GetVariableRefList",
                    "devs:ParseVariable",
                    "devs:GetVariableLinkedServices"
                ],
                "Resource": "acs:devs:*:*:project/my-project*/environment/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "devs:List*",
                    "devs:GetArtifact",
                    "devs:CreateArtifact",
                    "devs:PutArtifact",
                    "devs:FetchArtifactTempBucketToken",
                    "devs:GetEnvironmentDeployment",
                    "devs:GetServiceDeployment",
                    "devs:GetTask",
                    "devs:RenderServicesByTemplate",
                    "devs:RefreshConnection"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "devs.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:PassRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                      "acs:Service": "fnf.aliyuncs.com"
                    }
                  }
            },
            {
                "Action": "fnf:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "bss:DescribeAcccount",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:Get*",
                    "log:List*",
                    "log:Query*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:Get*",
                    "oss:List*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "cms:Get*",
                    "cms:List*",
                    "cms:Query*",
                    "cms:Describe*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "fc:Get*",
                    "fc:List*",
                    "fc:PutConcurrencyConfig",
                    "fc:DeleteConcurrencyConfig",
                    "fc:PutProvisionConfig"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "vpc:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "nas:Describe*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ecs:DescribeSecurityGroup*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                   "rds:DescribeDBInstances",
                   "kvstore:DescribeInstances"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                  "bailiancontrol:ListWorkspaces",
                  "bailiancontrol:CreateUser",
                  "bailiancontrol:ListRoles",
                  "bailiancontrol:ListUsers",
                  "bailiancontrol:AttachWorkspaceToUser",
                  "bailiancontrol:AttachRoleToUser",
                  "sfm:ListIndex"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    
  3. RAM用户添加修改后的自定义权限策略。具体操作,请参见RAM用户授权

更多信息

如果RAM用户只需要使用图像生成功能,可以只授权RAM用户使用图像生成项目