SCF Policy Syntax

Last updated: 2020-09-21 11:25:05

    Policy Syntax

    For more information on how to create custom policies, please see Creating Custom Policies. SCF's policy syntax follows CAM's syntax structure and resource description method, which is based on the JSON format, and all resources can be described in the six-segment style, as shown in the sample below:

    qcs: :scf:region:uin/uinid:function/function-name

    Note:

    When configuring the policy syntax, you also need to use the monitor APIs to get the monitoring information under the account. For more information about using the monitor APIs, please see the sample policy.

    Sample Policy

    {     
            "version":"2.0", 
            "statement": 
            [ 
               { 
                  "effect":"allow", 
                  "action":
                  [
                    "scf:ListFunctions",
                    "scf:GetAccountSettings",
                    "monitor:*"
                  ], 
                  "resource":["*"]  
               }, 
              { 
                 "effect": "allow",
                 "action": 
                 [
                    "scf:DeleteFunction",
                    "scf:CreateFunction",
                    "scf:InvokeFunction",
                    "scf:UpdateFunction",
                    "scf:GetFunctionLogs",
                    "scf:SetTrigger",
                    "scf:DeleteTrigger",
                    "scf:GetFunction",
                    "scf:ListVersion"
                ],
                "resource": 
                [
                    "qcs::scf:gz:uin/******:function/Test1",
                    "qcs::scf:gz:uin/******:function/Test2"
                ]
             }
          ] 
    } 
    • If the action is an operation that needs to be associated with a resource, the resource can be defined as *, indicating that all resources are to be associated.
    • If the action is an operation that does not need to be associated with a resource, the resource needs to be defined as *.
    • This sample allows the sub-account to have the operation permissions of certain functions under the root account. The resource in resource is described as a function under the root account.

    Specifying Conditions

    The access policy language allows you to specify conditions when granting permissions, such as limiting the user access source or authorization time. The list below contains supported condition operators as well as general condition keys and examples.

    Condition Operator Description Condition Name Example
    ip_equal The IP is equal to qcs:ip {"ip_equal":{"qcs:ip ":"10.121.2.0/24"}}
    ip_not_equal The IP is not equal to qcs:ip {"ip_not_equal":{"qcs:ip ":["10.121.1.0/24", "10.121.2.0/24"]}}
    date_not_equal The date is not equal to qcs:current_time {"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
    date_greater_than The date is later than qcs:current_time {"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
    date_greater_than_equal The date is later than or equal to qcs:current_time {"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
    date_less_than The date is earlier than qcs:current_time {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
    date_less_than_equal The date is earlier than or equal to qcs:current_time {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
    date_less_than_equal The date is earlier than or equal to qcs:current_time {"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
    • To allow access only by IPs in the 10.121.2.0/24 IP range, use the following syntax:
      "ip_equal":{"qcs:ip ":"10.121.2.0/24"}
    • To allow access only by IPs 101.226.\*\*\*.185 and 101.226.\*\*\*.186, use the following syntax:
      "ip_equal": {
        "qcs:ip": [
          "101.226.***.185",
          "101.226.***.186"
        ]
      }

    ">

    User Policy Update

    SCF improved the preset permission policies in April 2020. The preset policies QcloudSCFFullAccess and QcloudSCFReadOnlyAccess were modified, and the QcloudAccessForScfRole policy was added for the configuration role SCF_QcsRole, as shown below:

    • Currently, the preset policy QcloudSCFFullAccess has the following permissions:
    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "scf:*",
                    "tag:*",
                    "cam:DescribeRoleList",
                    "cam:GetRole",
                    "cam:ListAttachedRolePolicies",
                    "apigw:DescribeServicesStatus",
                    "apigw:DescribeService",
                    "apigw:DescribeApisStatus",
                    "cmqtopic:ListTopicDetail",
                    "cmqqueue:ListQueueDetail",
                    "cmqtopic:GetSubscriptionAttributes",
                    "cmqtopic:GetTopicAttributes",
                    "cos:GetService",
                    "cos:HeadBucket",
                    "cos:HeadObject",
                    "vpc:DescribeVpcEx",
                    "vpc:DescribeSubnetEx",
                    "cls:getTopic",
                    "cls:getLogset",
                    "cls:listLogset",
                    "cls:listTopic",
                    "ckafka:List*",
                    "ckafka:Describe*",
                    "ckafka:ListInstance",
                    "monitor:GetMonitorData",
                    "monitor:DescribeBasicAlarmList",
                    "monitor:DescribeBaseMetrics",
                    "monitor:DescribeSortObjectList",
                    "monitor:DescribePolicyConditionList",
                    "cdb:DescribeDBInstances"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }
    • Currently, the preset policy QcloudSCFReadOnlyAccess has the following permissions:
    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "scf:Get*",
                    "scf:List*",
                    "ckafka:List*",
                    "ckafka:Describe*",
                    "monitor:GetMonitorData",
                    "monitor:DescribeBasicAlarmList",
                    "monitor:DescribeBaseMetrics",
                    "monitor:DescribeSortObjectList",
                    "cam:GetRole",
                    "cam:ListAttachedRolePolicies",
                    "vpc:DescribeVpcEx",
                    "vpc:DescribeSubnetEx",
                    "cls:getLogset",
                    "cls:getTopic",
                    "cls:listTopic",
                    "apigw:DescribeService",
                    "cmqtopic:GetTopicAttributes",
                    "cmqtopic:GetSubscriptionAttributes",
                    "cos:HeadBucket",
                    "cos:GetService",
                    "cos:GetObject"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }
    • Currently, the preset policy QcloudAccessForScfRole has the following permissions:
    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "cos:GetBucket*",
                    "cos:HeadBucket",
                    "cos:PutBucket*",
                    "apigw:*",
                    "cls:*",
                    "cos:List*",
                    "cos:Get*",
                    "cos:Head*",
                    "cos:OptionsObject",
                    "cmqqueue:*",
                    "cmqtopic:*",
                    "ckafka:List*",
                    "ckafka:Describe*",
                    "ckafka:AddRoute",
                    "ckafka:CreateRoute"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }

    The preset policy QcloudAccessForScfRole can:

    • Write trigger configuration information to the bucket configuration if a COS trigger is configured.
    • Read the trigger configuration information from the COS bucket.
    • Read the code zip package from the bucket when the code is updated through COS.
    • Create API Gateway services and APIs and publish services if an API Gateway trigger is configured.
    • Create consumers if a CKafka trigger is configured.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help