本文档给出了命令相关配置对应的权限情况,其实一部分的策略是可以参考阿里云函数计算的权限文档 , 但是还有一些权限的可能在使用命令中会比较细化,所以特编写该文档。
目录
- deploy 指令
- remove 指令
- info、sync 指令
- build、local 指令
- invoke 指令
- logs 指令
- metrics 指令
- nas 指令
- layer 指令
- version 指令
- alias 指令
- provision 指令
- onDemand 指令
这一部分和Yaml配置相关比较紧密,所以请参考Yaml权限相关配置
系统策略:AliyunFCFullAccess
{
"Statement": [
{
"Action": [
"fc:ListOnDemandConfigs",
"fc:DeleteFunctionOnDemandConfig",
"fc:ListProvisionConfigs",
"fc:PutProvisionConfig",
"fc:ListAliases",
"fc:DeleteAlias",
"fc:ListServiceVersions",
"fc:DeleteServiceVersion",
"fc:ListTriggers",
"fc:DeleteTrigger",
"fc:ListFunctions",
"fc:DeleteFunction",
"fc:DeleteService"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}如果执行 s remove service --use-local
{
"Statement": [
{
"Action": [
"fc:DeleteTrigger",
"fc:DeleteFunction",
"fc:DeleteService"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}{
"Statement": [
{
"Action": [
"fc:ListTriggers",
"fc:DeleteTrigger",
"fc:DeleteFunction"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}{
"Statement": [
{
"Action": [
"fc:DeleteTrigger"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}系统策略:AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:DeleteAlias",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/<aliasName>"
}
]
}系统策略:AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:DeleteServiceVersion",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions/<version-id>"
}
]
}系统策略:AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:PutProvisionConfig",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
}
]
}系统策略:AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:DeleteFunctionOnDemandConfig",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
}
]
}系统策略:AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:DeleteLayerVersion",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
}
]
}系统策略:AliyunFCReadOnlyAccess
这一部分是本地相关操作,所以无需线上权限
AliyunFCInvocationAccess 或者 AliyunFCFullAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:InvokeFunction",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>.<qualifier>/functions/<functionName>"
}
]
}AliyunFCReadOnlyAccess、AliyunLogReadOnlyAccess
AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "log:GetLogStoreLogs",
"Effect": "Allow",
"Resource": "acs:log:<region>:<account-id>:project/<project>/logstore/<logstore>"
}
]
}AliyunLogFullAccess、AliyunCloudMonitorReadOnlyAccess、AliyunFCReadOnlyAccess
参考 nas 部署
AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:CreateLayerVersion",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:layers/<layerName>/versions/*"
}
]
}AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:PublishServiceVersion",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/versions"
}
]
}AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:CreateAlias",
"fc:UpdateAlias"
],
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>/aliases/*"
}
]
}AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:PutProvisionConfig",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
}
]
}AliyunFCReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": "fc:PutFunctionOnDemandConfig",
"Effect": "Allow",
"Resource": "acs:fc:<region>:<account-id>:services/services/<serviceName>.<qualifier>/functions/<functionName>"
}
]
}