tencent cloud

Serverless Cloud Function

Release Notes and Announcements
Release Notes
Announcements
User Guide
Product Introduction
Overview
Related Concepts
How It Works
Strengths
Scenarios
Related Products
Purchase Guide
Billing Overview
Billing Mode
Billable Items and Billing Modes
Function Computing Power Support
Free Tier
SCF Pricing
Billing Example
Payment Overdue
Getting Started
Creating Event Function in Console
User Guide
Quota Management
Managing Functions
Web Function Management
Log Management
Concurrence Management
Trigger Management
Function URL
A Custom Domain Name
Version Management
Alias Management
Permission Management
Running Instance Management
Plugin Management
Managing Monitors and Alarms
Network Configuration
Layer Management
Execution Configuration
Extended Storage Management
DNS Caching Configuration
Resource Managed Mode Management
Near-Offline Resource Hosting Model
Workflow
Triggers
Trigger Overview
Trigger Event Message Structure Summary
API Gateway Trigger
COS Trigger
CLS Trigger
Timer Trigger
CKafka Trigger
Apache Kafka Trigger
MQTT Trigger
Trigger Configuration Description
MPS Trigger
CLB Trigger Description
TencentCloud API Trigger
Development Guide
Basic Concepts
Testing a Function
Environment Variables
Dependency Installation
Using Container Image
Error Types and Retry Policies
Dead Letter Queue
Connecting SCF to Database
Automated Deployment
Cloud Function Status Code
Common Errors and Solutions
Developer Tools
Serverless Web IDE
Calling SDK Across Functions
Third-Party Tools
Code Development
Python
Node.js
Golang
PHP
Java
Custom Runtime
Deploying Image as Function
Web Framework Development
Deploying Framework on Command Line
Quickly Deploying Egg Framework
Quickly Deploying Express Framework
Quickly Deploying Flask Framework
Quickly Deploying Koa Framework
Quickly Deploying Laravel Framework
Quickly Deploying Nest.js Framework
Quickly Deploying Next.js Framework
Quickly Deploying Nuxt.js Framework
Quickly Deploying Django Framework
Use Cases
Overview
Solutions with Tencent Cloud Services
Business Development
TRTC Practices
COS Practices
CKafka Practice
CLS
CLB Practice
MPS
CDN
CDWPG
VOD
SMS
ES
Scheduled Task
Video Processing
Success Stories
Tencent Online Education
Online Video Industry
Tencent Online Education
Best Practice of Tencent IEG Going Global
API Documentation
History
Introduction
API Category
Making API Requests
Other APIs
Namespace APIs
Layer Management APIs
Async Event Management APIs
Trigger APIs
Function APIs
Function and Layer Status Description
Data Types
Error Codes
SDK Documentation
FAQs
General
Web Function
Billing FAQs
Network FAQs
Log FAQs
SCF utility class
Event Handling FAQs
API Gateway Trigger FAQs
Related Agreement
Service Level Agreement
Contact Us
Glossary
문서Serverless Cloud FunctionUser GuidePermission ManagementSCF Policy Syntax

SCF Policy Syntax

PDF
포커스 모드
폰트 크기
마지막 업데이트 시간: 2024-12-02 20:11:42

Policy Syntax

You can create custom policies by using JSON syntax. SCF policies follow the CAM syntax structure and resource description method. You can check Creating Custom Policy for the direction. All resources are described in the six-segment style, as shown in the sample below:
qcs::scf:region:uin/uin—id:namespace/namespace-name/function/function-name
Note:
To configure the policy syntax, you also need to use the monitor APIs to get the monitoring information under the account (See sample policy).

Sample Policies

{	 
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"allow", 
              "action":
              [
                "scf:ListFunctions",
                "scf:GetAccountSettings",
                "monitor:*"
              ], 
              "resource":["*"]  
           }, 
          { 
             "effect": "allow",
             "action": 
             [
                "scf:DeleteFunction",
                "scf:CreateFunction",
                "scf:InvokeFunction",
                "scf:UpdateFunction",
                "scf:GetFunctionLogs",
                "scf:SetTrigger",
                "scf:DeleteTrigger",
                "scf:GetFunction",
                "scf:ListVersion"
            ],
            "resource": 
            [
                "qcs::scf:ap-guangzhou:uin/******:namespace/default/function/Test1",
                "qcs::scf:ap-guangzhou:uin/******:namespace/default/function/Test2"
            ]
         }
      ] 
}
If the action needs to be associated with a resource, the resource can be defined as *, indicating that all resources are to be associated.
If the action does not need to be associated with a resource, the resource needs to be defined as *.
This sample allows the sub-account to have the operation permissions of certain functions under the root account. The resource in resource is described as a function under the root account.

Specifying Conditions

The access policy language allows you to specify conditions when granting permissions, such as limiting the user access source or authorization time. The list below contains supported condition operators as well as general condition keys and examples.
Condition Operator
Description
Condition Name
Example
ip_equal
IP is equal to
qcs:ip
{"ip_equal":{"qcs:ip ":"10.121.2.0/24"}}
ip_not_equal
IP is not equal to
qcs:ip
{"ip_not_equal":{"qcs:ip ":["10.121.1.0/24", "10.121.2.0/24"]}}
date_not_equal
Time is not equal to
qcs:current_time
{"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
date_greater_than
Time is later than
qcs:current_time
{"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
date_greater_than_equal
Time is later than or equal to
qcs:current_time
{"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
date_less_than
Time is earlier than
qcs:current_time
{"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
date_less_than_equal
Time is earlier than or equal to
qcs:current_time
{"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
date_less_than_equal
Time is earlier than or equal to
qcs:current_time
{"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
To allow access only by IPs in the 10.121.2.0/24 IP range, use the following syntax:
"ip_equal":{"qcs:ip ":"10.121.2.0/24"}
To allow access only by IPs 101.226.\\*\\*\\*.185 and 101.226.\\*\\*\\*.186, use the following syntax:
"ip_equal":{
  "qcs:ip":[
    "101.226.***.185",
    "101.226.***.186"
  ]
}

User Policy Update

SCF improved the preset permission policies in April 2020. The preset policies QcloudSCFFullAccess and QcloudSCFReadOnlyAccess were modified, and the QcloudAccessForScfRole policy was added for the configuration role SCF_QcsRole, as shown below:

Preset policy QcloudSCFFullAccess

Current permissions:
{
    "version": "2.0",
    "statement": [
        {
            "action":[
                "scf:*",
                "tag:*",
                "cam:DescribeRoleList",
                "cam:GetRole",
                "cam:ListAttachedRolePolicies",
                "apigw:DescribeServicesStatus",
                "apigw:DescribeService",
                "apigw:DescribeApisStatus",
                "cmqtopic:ListTopicDetail",
                "cmqqueue:ListQueueDetail",
                "cmqtopic:GetSubscriptionAttributes",
                "cmqtopic:GetTopicAttributes",
                "cos:GetService",
                "cos:HeadBucket",
                "cos:HeadObject",
                "vpc:DescribeVpcEx",
                "vpc:DescribeSubnetEx",
                "cls:getTopic",
                "cls:getLogset",
                "cls:listLogset",
                "cls:listTopic",
                "ckafka:List*",
                "ckafka:Describe*",
                "ckafka:ListInstance",
                "monitor:GetMonitorData",
                "monitor:DescribeBasicAlarmList",
                "monitor:DescribeBaseMetrics",
                "monitor:DescribeSortObjectList",
                "monitor:DescribePolicyConditionList",
                "cdb:DescribeDBInstances"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

Preset policy QcloudSCFReadOnlyAccess

Current permissions:
{
    "version": "2.0",
    "statement": [
        {
            "action":[
                "scf:Get*",
                "scf:List*",
                "ckafka:List*",
                "ckafka:Describe*",
                "monitor:GetMonitorData",
                "monitor:DescribeBasicAlarmList",
                "monitor:DescribeBaseMetrics",
                "monitor:DescribeSortObjectList",
                "cam:GetRole",
                "cam:ListAttachedRolePolicies",
                "vpc:DescribeVpcEx",
                "vpc:DescribeSubnetEx",
                "cls:getLogset",
                "cls:getTopic",
                "cls:listTopic",
                "apigw:DescribeService",
                "cmqtopic:GetTopicAttributes",
                "cmqtopic:GetSubscriptionAttributes",
                "cos:HeadBucket",
                "cos:GetService",
                "cos:GetObject"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

Preset policy QcloudAccessForScfRole

Current permissions:
{
    "version": "2.0",
    "statement": [
        {
            "action":[
                "cos:GetBucket*",
                "cos:HeadBucket",
                "cos:PutBucket*",
                "apigw:*",
                "cls:*",
                "cos:List*",
                "cos:Get*",
                "cos:Head*",
                "cos:OptionsObject",
                "cmqqueue:*",
                "cmqtopic:*",
                "ckafka:List*",
                "ckafka:Describe*",
                "ckafka:AddRoute",
                "ckafka:CreateRoute"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
The preset policy QcloudAccessForScfRole can:
Write trigger configuration information to the bucket configuration when a COS trigger is configured.
Read the trigger configuration information from the COS bucket.
Read the code zip package from the bucket when the code is updated through COS.
Create API Gateway services and APIs and publish services if an API Gateway trigger is configured.
Create consumers if a CKafka trigger is configured.
이전 주제: Role and Authorization다음 주제: Sub-users and Authorization

도움말 및 지원

문제 해결에 도움이 되었나요?

피드백