All Products
Search
Document Center

Function Compute:Service-linked role of Function Compute

Last Updated:May 24, 2024

A trusted Alibaba Cloud service can assume a Resource Access Management (RAM) role to access other Alibaba Cloud services. RAM roles that a trusted Alibaba Cloud service can assume are classified into regular service roles and service-linked roles. This topic describes the service-linked role of Function Compute.

Overview

The service-linked role AliyunServiceRoleForFC of Function Compute can be used by Function Compute to access other Alibaba Cloud services and perform operations. Function Compute 3.0 supports the binding of AliyunServiceRoleForFC and function as a service (FaaS) functions to grant functions the permissions to access other cloud services based on the principle of least privilege.

The following items list the service-linked role of Function Compute and the attached system policy:

  • Service-linked role: AliyunServiceRoleForFC

  • System policy: AliyunServiceRolePolicyForFC

AliyunServiceRoleForFC

The AliyunServiceRoleForFC role has the permissions to access specific Alibaba Cloud services, such as Virtual Private Cloud, Elastic Compute Service, Simple Log Service, and Container Registry. You can use the role to implement specific features, such as connecting functions to VPCs, downloading images, reclaiming resources, and exporting logs.

The AliyunServiceRoleForFC role is attached with the AliyunServiceRolePolicyForFC policy. The following code shows the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cr:PullRepository",
                "cr:GetArtifactTag",
                "cr:GetAuthorizationToken",
                "cr:GetRepository",
                "cr:GetRepositoryTag",
                "cr:GetRepoTagManifest",
                "cr:GetRepositoryManifest",
                "cr:GetInstanceVpcEndpoint",
                "cr:GetInstance",
                "cr:GetNamespace",
                "cr:GetArtifactBuildRule",
                "cr:CreateArtifactBuildTask"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "fc:InvokeFunction",
                "eventbridge:PutEvents",
                "mq:PUB",
                "mq:OnsInstanceBaseInfo",
                "mns:SendMessage",
                "mns:PublishMessage",
                "fnf:ReportTaskSucceeded",
                "fnf:ReportTaskFailed"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateProject",
                "log:CreateLogStore",
                "log:GetProject",
                "log:GetLogStore",
                "log:DeleteProject",
                "log:DeleteLogStore",
                "log:GetLogStoreLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/aliyun-fc-*",
                "acs:log:*:*:project/*/logstore/function-log*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:GetRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "fc.aliyuncs.com"
                }
            }
        }
    ]
}

The following items list the scenarios in which the service-linked role of Function Compute is required:

  • Configure VPCs, switches, or elastic network interfaces (ENIs) for Function Compute to improve data security and implement network communication in the VPCs.

  • Access a Container Registry repository to pull images that are used to create image-based functions. Container images can be used to flexibly deploy functions.

  • Configure access to message services such as ApsaraMQ and EventBridge, and use Function Compute to monitor events from message sources. When a new message or event is generated, function execution can be directly triggered to implement an event-driven computing model.

  • Configure permissions related to Simple Log Service to enable automatic collection of function execution logs, facilitating search, analysis, and visualized display of logs. This helps you quickly locate and resolve issues.

Create the service-linked role

When you log on to the Function Compute 3.0 console, the system checks whether the service-linked role AliyunServiceRoleForFC has been created for you. If not, a message asking whether to create the service-linked role appears. After you confirm to create the service-linked role AliyunServiceRoleForFC and attach the AliyunServiceRolePolicyForFC policy, the system automatically creates the AliyunServiceRoleForFC role.

After the service-linked role is created, you can view the created service-linked role on the Roles page in the RAM console or by calling the ListRoles operation in the CLI or another tool. You can also log on to the Function Compute 3.0 console again to verify whether the service-linked role is successfully created. If the logon succeeds, the service-linked role is created.

Delete the service-linked role

You can delete the service-linked role in the RAM console. After the service-linked role is deleted, the Function Compute 3.0 console cannot be used as expected. Exercise caution when you perform this operation.

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the RAM user that you want to delete and click Delete Role in the Actions column.

  4. In the Delete Role dialog box, enter the name of the RAM role that you want to delete and click Delete Role.

    When you delete a service-linked role, RAM checks whether the role is being used by cloud resources. If the role is being used by one or more cloud resources, the role fails to be deleted. You can check the cloud resources that are using the role based on the displayed message. If you no longer need to use the corresponding cloud resources, find and remove the resources before you delete the service-linked role.

Required permissions for a RAM user to use a service-linked role

If you want to create or delete a service-linked role as a RAM user, you must use your Alibaba Cloud account to grant the RAM user the ram:CreateServiceLinkRole and ram:DeleteServiceLinkedRole permissions, or attach the AliyunRAMFullAccess policy to the RAM user.

The following code snippet shows a sample custom policy that allows a RAM user to create and delete a service-linked role for Function Compute.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole",
                "ram:DeleteServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "fc.aliyuncs.com"
                }
            }
        }
    ]
}