All Products
Search
Document Center

CloudFlow:Create execution roles

Last Updated:Oct 30, 2023

This topic describes content related to execution roles, including how to create a permission policy and an execution role.

Background information

When you use Serverless workflow to create an application, you must create an execution role and grant it related permissions. When Serverless workflow executes a flow, it assumes this role and accesses cloud services on your behalf, such as executing functions, sending messages, and executing flows.

You can use the Serverless workflow console to create an execution role and grant it system permissions. To control access permissions at a finer granularity, for example, to allow flows to access only one or several functions in Function Compute, see the following introduction.

Serverless workflow uses Resource Access Management (RAM) to implement role-based permission management. The following content describes the basic idea of authorization: A policy indicates the capability to access a service. After the policy is bound to a role, this role can access the service. When a third party needs to access this service, it only needs to assume the role that can access the service. This prevents long-term keys from being used and makes the system more secure.

Create a permission policy

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Set Policy Name and Note. For example, set Policy Name to FnFExecutionRolePolicy.
  5. Select Script for Configuration Mode, and edit the policy. For more information, see Policy structure and syntax. The following table provides examples of common permissions.
DescriptionEffectActionResource
This policy allows access to Function functions in the Test1 serviceAllowfc:InvokeFunctionacs:fc:::services/Test1/functions/Func1
This policy allows access to all functions of the Test2 service.Allowfc:InvokeFunctionacs:fc:::services/Test2/functions/*
This policy allows access to all functions of the services that start with Public.Allowfc:InvokeFunctionacs:fc:::services/Public*/functions/*
This policy allows sending messages to the Test1 queue.Allowmns:SendMessageacs:mns:*:*:/queues/Test1/messages
This policy allows the execution of the Test1 flow.Allowfnf:StartExecutionacs:fnf:::flows/Test1/executions/*

Create an execution role

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. Click Create Role.
  4. In the Create Role panel, configure the following parameters:
    • The Select Trusted Entity parameter in the Select Role Type step: Select Alibaba Cloud Service.
    • The RAM Role Name parameter in the Configure Role step: Enter FnFExecutionRole.
    • The Select Trusted Service parameter in the Configure Role step: Select Function Flow.
  5. In the Finish step, click Add Permissions to RAM Role, and follow the on-screen instructions to attach the FnFExecutionRolePolicy policy to the FnFExecutionRole role that you created.
  6. Copy the Alibaba Cloud Resource Name (ARN) of the FnFExecutionRole role for use when you create or update a flow.