For more information on how to create custom policies, please see Creating Custom Policies. SCF's policy syntax follows CAM's syntax structure and resource description method, which is based on the JSON format, and all resources can be described in the six-segment style, as shown in the sample below:
qcs::scf:region:uin/uin—id:namespace/namespace-name/function/function-name
Note:
When configuring the policy syntax, you also need to use the monitor APIs to get the monitoring information under the account. For more information about using the monitor APIs, please see the sample policy.
{
"version":"2.0",
"statement":
[
{
"effect":"allow",
"action":
[
"scf:ListFunctions",
"scf:GetAccountSettings",
"monitor:*"
],
"resource":["*"]
},
{
"effect": "allow",
"action":
[
"scf:DeleteFunction",
"scf:CreateFunction",
"scf:InvokeFunction",
"scf:UpdateFunction",
"scf:GetFunctionLogs",
"scf:SetTrigger",
"scf:DeleteTrigger",
"scf:GetFunction",
"scf:ListVersion"
],
"resource":
[
"qcs::scf:gz:uin/******:namespace/default/function/Test1",
"qcs::scf:gz:uin/******:namespace/default/function/Test2"
]
}
]
}
action
is an operation that needs to be associated with a resource, the resource can be defined as *
, indicating that all resources are to be associated.action
is an operation that does not need to be associated with a resource, the resource needs to be defined as *
.resource
is described as a function under the root account.The access policy language allows you to specify conditions when granting permissions, such as limiting the user access source or authorization time. The list below contains supported condition operators as well as general condition keys and examples.
Condition Operator | Description | Condition Name | Example |
---|---|---|---|
ip_equal | The IP is equal to | qcs:ip | {"ip_equal":{"qcs:ip ":"10.121.2.0/24"}} |
ip_not_equal | The IP is not equal to | qcs:ip | {"ip_not_equal":{"qcs:ip ":["10.121.1.0/24", "10.121.2.0/24"]}} |
date_not_equal | The date is not equal to | qcs:current_time | {"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_greater_than | The date is later than | qcs:current_time | {"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_greater_than_equal | The date is later than or equal to | qcs:current_time | {"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_less_than | The date is earlier than | qcs:current_time | {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}} |
date_less_than_equal | The date is earlier than or equal to | qcs:current_time | {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}} |
date_less_than_equal | The date is earlier than or equal to | qcs:current_time | {"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
10.121.2.0/24
IP range, use the following syntax:"ip_equal":{"qcs:ip ":"10.121.2.0/24"}
101.226.\*\*\*.185
and 101.226.\*\*\*.186
, use the following syntax:"ip_equal": {
"qcs:ip": [
"101.226.***.185",
"101.226.***.186"
]
}
SCF improved the preset permission policies in April 2020. The preset policies QcloudSCFFullAccess
and QcloudSCFReadOnlyAccess
were modified, and the QcloudAccessForScfRole
policy was added for the configuration role SCF_QcsRole
, as shown below:
QcloudSCFFullAccess
has the following permissions:{
"version": "2.0",
"statement": [
{
"action": [
"scf:*",
"tag:*",
"cam:DescribeRoleList",
"cam:GetRole",
"cam:ListAttachedRolePolicies",
"apigw:DescribeServicesStatus",
"apigw:DescribeService",
"apigw:DescribeApisStatus",
"cmqtopic:ListTopicDetail",
"cmqqueue:ListQueueDetail",
"cmqtopic:GetSubscriptionAttributes",
"cmqtopic:GetTopicAttributes",
"cos:GetService",
"cos:HeadBucket",
"cos:HeadObject",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnetEx",
"cls:getTopic",
"cls:getLogset",
"cls:listLogset",
"cls:listTopic",
"ckafka:List*",
"ckafka:Describe*",
"ckafka:ListInstance",
"monitor:GetMonitorData",
"monitor:DescribeBasicAlarmList",
"monitor:DescribeBaseMetrics",
"monitor:DescribeSortObjectList",
"monitor:DescribePolicyConditionList",
"cdb:DescribeDBInstances"
],
"resource": "*",
"effect": "allow"
}
]
}
QcloudSCFReadOnlyAccess
has the following permissions:{
"version": "2.0",
"statement": [
{
"action": [
"scf:Get*",
"scf:List*",
"ckafka:List*",
"ckafka:Describe*",
"monitor:GetMonitorData",
"monitor:DescribeBasicAlarmList",
"monitor:DescribeBaseMetrics",
"monitor:DescribeSortObjectList",
"cam:GetRole",
"cam:ListAttachedRolePolicies",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnetEx",
"cls:getLogset",
"cls:getTopic",
"cls:listTopic",
"apigw:DescribeService",
"cmqtopic:GetTopicAttributes",
"cmqtopic:GetSubscriptionAttributes",
"cos:HeadBucket",
"cos:GetService",
"cos:GetObject"
],
"resource": "*",
"effect": "allow"
}
]
}
QcloudAccessForScfRole
has the following permissions:{
"version": "2.0",
"statement": [
{
"action": [
"cos:GetBucket*",
"cos:HeadBucket",
"cos:PutBucket*",
"apigw:*",
"cls:*",
"cos:List*",
"cos:Get*",
"cos:Head*",
"cos:OptionsObject",
"cmqqueue:*",
"cmqtopic:*",
"ckafka:List*",
"ckafka:Describe*",
"ckafka:AddRoute",
"ckafka:CreateRoute"
],
"resource": "*",
"effect": "allow"
}
]
}
The preset policy QcloudAccessForScfRole
can:
Was this page helpful?