This topic describes how to create a permission policy and how to create an execution role.
Background information
When you use CloudFlow to build an application, you must create an execution role and grant permissions to the role. When CloudFlow executes a flow, it assumes this role and accesses cloud services on your behalf, such as executing functions, sending messages, and executing flows.
You can use the CloudFlow console to create an execution role and grant system permissions to the role. To control access to services at a finer granularity, for example, to allow flows to access only one or several functions in Function Compute, you need to create a permission policy. For more information, see the following introduction.
CloudFlow uses Resource Access Management (RAM) to implement role-based permission management. The following content describes how CloudFlow grants permissions to a RAM user: A policy indicates the capability to access a service. After the policy is bound to a role, this role can access the service. When a third party wants to access this service, it only needs to assume the role that can access the service. This prevents long-term keys from being used and makes the system more secure.
Create a policy
- Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Enter the policy document and click Next: Edit Basic Information.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax. The following table describes some common permissions.
Description
Effect
Action
Resource
Allow the RAM role to access Function functions of the Test1 service.
Allow
fc:InvokeFunction
acs:fc:::services/Test1/functions/Func1
Allow the RAM role to access all functions of the Test2 service.
Allow
fc:InvokeFunction
acs:fc:::services/Test2/functions/*
Allow the RAM role to access all functions of the services whose names start with Public.
Allow
fc:InvokeFunction
acs:fc:::services/Public*/functions/*
Allow the RAM role to send messages to the Test1 queue.
Allow
mns:SendMessage
acs:mns:*:*:/queues/Test1/messages
Allow the RAM role to execute the Test1 flow.
Allow
fnf:StartExecution
acs:fnf:::flows/Test1/executions/*
Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Create an execution role
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, click Create RAM Role.
In the Create Role panel, configure the following parameters, and then click OK.
In the Select Role Type step, select Alibaba Cloud Service for the Select Trusted Entity parameter.
In the Configure Role step, select Normal Service Role for the Role Type parameter.
In the Configure Role step, enter FnFExecutionRole in the RAM Role Name field.
In the Configure Role step, select Function Flow from the Select Trusted Service drop-down list.
Attach the policy that you created to the role FnFExecutionRole.
For more information, see Grant permissions to a RAM role.
Click the execution role that you created. Copy the Alibaba Cloud Resource Name (ARN) of the role in the Basic Information section. You will use the ARN when you create or update the flow.