Policy Syntax
For more information on how to create custom policies, please see Creating Custom Policies. SCF's policy syntax follows CAM's syntax structure and resource description method, which is based on the JSON format, and all resources can be described in the six-segment style, as shown in the sample below:
qcs::scf:region:uin/uin—id:namespace/namespace-name/function/function-name
Note
When configuring the policy syntax, you also need to use the monitor APIs to get the monitoring information under the account. For more information about using the monitor APIs, please see the sample policy.
Policy Examples
{"version": "2.0","statement":[{"effect": "allow","action":["scf:ListFunctions","scf:GetAccountSettings","monitor:*"],"resource":["*"]},{"effect": "allow","action":["scf:DeleteFunction","scf:CreateFunction","scf:InvokeFunction","scf:UpdateFunction","scf:GetFunctionLogs","scf:SetTrigger","scf:DeleteTrigger","scf:GetFunction","scf:ListVersion"],"resource":["qcs::scf:ap-guangzhou:uin/**:namespace/default/function/Test1","qcs::scf:ap-guangzhou:uin/**:namespace/default/function/Test2"]}]}
When the action requires associated resources, the resource is defined as
*, indicating that all resources are associated.When the action does not require associated resources, the resource must be defined as
*.This sample allows the sub-account to have the operation permissions of certain functions under the root account. The resource in
resource is described as a function under the root account.Specified Conditions
The access policy language allows you to specify conditions when granting permissions, such as limiting the user access source or authorization time. The list below contains supported condition operators as well as general condition keys and examples.
Condition Operator | Description | Condition Name | Sample |
ip_equal | IP equal to | qcs:ip | {"ip_equal":{"qcs:ip ":"10.121.2.0/24"}} |
ip_not_equal | IP not equal to | qcs:ip | {"ip_not_equal":{"qcs:ip ":["10.121.1.0/24", "10.121.2.0/24"]}} |
date_not_equal | Date is not equal to | qcs:current_time | {"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_greater_than | Date is greater than | qcs:current_time | {"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_greater_than_equal | Date is greater than or equal to | qcs:current_time | {"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_less_than | Date is less than | qcs:current_time | {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}} |
date_less_than_equal | Date is less than or equal to | qcs:current_time | {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}} |
date_less_than_equal | Date is less than or equal to | qcs:current_time | {"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
To allow access only by IPs in the
10.121.2.0/24 IP range, use the following syntax:"ip_equal":{"qcs:ip ":"10.121.2.0/24"}
Restrict access to IPs
101.226.***.185 and 101.226.***.186 as shown below:"ip_equal": {"qcs:ip": ["101.226.***.185","101.226.***.186"]}
User Policy Update
SCF improved the preset permission policies in April 2020. The preset policies
QcloudSCFFullAccess and QcloudSCFReadOnlyAccess were modified, and the QcloudAccessForScfRole policy was added for the configuration role SCF_QcsRole, as shown below:Preset policy QcloudSCFFullAccess
Current permissions:
{"version": "2.0","statement": [{"action": ["scf:*","tag:*","cam:DescribeRoleList","cam:GetRole","cam:ListAttachedRolePolicies","apigw:DescribeServicesStatus","apigw:DescribeService","apigw:DescribeApisStatus","cmqtopic:ListTopicDetail","cmqqueue:ListQueueDetail","cmqtopic:GetSubscriptionAttributes","cmqtopic:GetTopicAttributes","cos:GetService","cos:HeadBucket","cos:HeadObject","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:getTopic","cls:getLogset","cls:listLogset","cls:listTopic","ckafka:List*","ckafka:Describe*","ckafka:ListInstance","monitor:GetMonitorData","monitor:DescribeBasicAlarmList","monitor:DescribeBaseMetrics","monitor:DescribeSortObjectList","monitor:DescribePolicyConditionList","cdb:DescribeDBInstances"],"resource": "*","effect": "allow"}]}
Preset policy QcloudSCFReadOnlyAccess
Current permissions:
{"version": "2.0","statement": [{"action": ["scf:Get*","scf:List*","ckafka:List*","ckafka:Describe*","monitor:GetMonitorData","monitor:DescribeBasicAlarmList","monitor:DescribeBaseMetrics","monitor:DescribeSortObjectList","cam:GetRole","cam:ListAttachedRolePolicies","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:getLogset","cls:getTopic","cls:listTopic","apigw:DescribeService","cmqtopic:GetTopicAttributes","cmqtopic:GetSubscriptionAttributes","cos:HeadBucket","cos:GetService","cos:GetObject"],"resource": "*","effect": "allow"}]}
Preset policy QcloudAccessForScfRole
Current permissions:
{"version": "2.0","statement": [{"action": ["cos:GetBucket*","cos:HeadBucket","cos:PutBucket*","apigw:*","cls:*","cos:List*","cos:Get*","cos:Head*","cos:OptionsObject","cmqqueue:*","cmqtopic:*","ckafka:List*","ckafka:Describe*","ckafka:AddRoute","ckafka:CreateRoute"],"resource": "*","effect": "allow"}]}
The preset policy
QcloudAccessForScfRole can:Write trigger configuration information to the bucket configuration if a COS trigger is configured.
Read the trigger configuration information from the COS bucket.
Read the code zip package from the bucket when the code is updated through COS.
Create API Gateway services and APIs and publish services if an API Gateway trigger is configured.
Create consumers if a CKafka trigger is configured.