You can use tags to group functions and assign varying permissions to different RAM users or groups. Assume you have created 10 functions in Function Compute with your Alibaba Cloud account. You intend to assign five of these functions to the dev team and the remaining five to the ops team, making sure that each team can only access and manage their respective assigned functions. In this case, you can use tags to group the 10 functions and grant different permissions to various RAM users or RAM user groups.
Prerequisites
You have created 10 functions in the Function Compute console. You have added a tag, whose tag key is team and tag value is dev, to five functions and added another tag, whose tag key is team and tag value is ops, to the other five functions. For more information about how to add a tag to a function, see Manage tags.
Procedure
Important
If the function is created in the Function Compute 2.0 console, the tag is added to the service to which the function belongs instead of the function. The name of a function that is created in the Function Compute 2.0 console is displayed with an extra dollar sign ($) in the Function Compute 3.0 console. For more information, see Tag management.
To follow the principle of least privilege, do not attach policies with a high permission level, such as AliyunFCFullAccess or AliyunFCReadOnlyAccess, to RAM users. Otherwise, you cannot use tags to manage permissions on functions by group.
Create two RAM users within your Alibaba Cloud account. For more information, see Create a RAM user.
Create the dev and ops RAM user groups. For more information, see Create a RAM user group.
Add the two RAM users to the dev and ops RAM user groups. For more information, see Add a RAM user to a RAM user group.
Attach different permission policies to the dev and ops RAM user groups.
Function Compute supports system policies and custom policies. You can use policies based on your business requirements to attach permission policies to different RAM user groups. This topic describes how to attach a custom policy to a user group.
Create a custom policy.
Create a custom policy named policyForDevTeam for the dev RAM user group. Sample code:
{
"Statement": [
{
"Action": "fc:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"fc:tag/team": "dev"
}
}
},
{
"Action": "fc:ListFunctions",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "fc:ListTagResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
Create a custom policy named policyForOpsTeam for the ops RAM user group. Sample code:
{
"Statement": [
{
"Action": "fc:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"fc:tag/team": "ops"
}
}
},
{
"Action": "fc:ListFunctions",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "fc:ListTagResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
Attach the policyForDevTeam policy to the dev RAM user group and the policyForOpsTeam policy to the ops RAM group. For more information, see Grant permissions to a RAM user group.
Log on to the Function Compute console as a RAM user in the dev RAM user group and then as a RAM user in the ops RAM user group to verify the result. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
As you can see, the RAM user in the dev RAM user group can only manage functions to which the team:dev tag is added, and the RAM user in the ops RAM user group can only manage functions to which the team:ops tag is added.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
