When deploying a project in Serverless Framework, you need to grant Serverless Framework permissions to manipulate your Tencent Cloud service resources through a role by scanning the code or with a key.
When you run the sls
command, the system will query whether there is key information in the environment variables. If no key has been configured, a QR code will pop up for you to scan for authorization.
After you authorize by scanning the code, temporary key information will be generated (which will expire in 15 minutes) and written into the .env file in the current directory.
TENCENT_APP_ID=xxxxxx # `AppId` of authorizing account
TENCENT_SECRET_ID=xxxxxx # `SecretId` of authorizing account
TENCENT_SECRET_KEY=xxxxxx # `SecretKey` of authorizing account
TENCENT_TOKEN=xxxxx # Temporary token
To eliminate the need for repeated authorization due to information expiration in case of authorization by scanning the code, you can authorize with a key. Create an .env
file in the root directory of the project to be deployed and configure the Tencent Cloud SecretId
and SecretKey
information:
# .env
TENCENT_SECRET_ID=xxxxxxxxxx # `SecretId` of your account
TENCENT_SECRET_KEY=xxxxxxxx # `SecretKey` of your account
You can get SecretId
and SecretKey
in API Key Management.
To ensure the account security, we recommend you use a sub-account key for authorization. The sub-account can deploy the project only after being granted the relevant permission. For more information on the configuration, please see Configuring sub-account permission.
When deploying a project in Serverless Framework, you need to use a role for authorization as follows:
The root account has the permissions to manipulate the Serverless Framework service and call roles by default. The SLS_QcsRole
role will be created by default when you activate Serverless Framework, which will have the corresponding policies of the associated services required by Serverless Framework during deployment. For the permissions of SLS_QcsRole
, please see SLS_QcsRole role permission list.
A sub-account does not have the operation permissions by default; therefore, you need to authorize it with the root account (or a sub-account with the authorization permission) in the following steps:
SLS_QcsRole
role.Note:
The
SLS_QcsRole
role has the corresponding policies of the associated services required by Serverless Framework during deployment. You can control the policies as instructed in [Configuring permission to manipulate specified role](#Configuring permission to manipulate specified role).
When granting the sub-account permission to manipulate the Serverless Framework service, you can select the permission to manipulate all resources or specific resources.
You can allow a sub-account to manipulate all Serverless Framework resources in the following steps:
QcloudSLSFullAccess
and click Next.{
"version": "2.0",
"statement": [
{
"action": [
"sls:*"
],
"resource": "*",
"effect": "allow"
}
]
}
You can allow a sub-account to manipulate only specific Serverless Framework resources in the following steps:
{
"version": "2.0",
"statement": [
{
"action": [
"sls:*"
],
"resource": "qcs::sls:ap-guangzhou::appname/${appname}/stagename/${stagename}",
"effect": "allow"
}
]
}
After the configuration is completed, the sub-account will have the permission to manipulate serverless applications only under ${appname}
and ${stagename}
.
SLS_QcsRole
roleA sub-account needs to be authorized by the root account to call the SLS_QcsRole
role.
uin
(account ID):{
"version": "2.0",
"statement": [
{
"action": [
"cam:PassRole"
],
"resource": [
"qcs::cam::uin/${enter the account's uin}:roleName/SLS_QcsRole"
],
"effect": "allow"
},
{
"resource": [
"*"
],
"action": [
"name/sts:AssumeRole"
],
"effect": "allow"
}
]
}
SLS_QcsRole
. In addition to the permission to call the SLS_QcsRole
role, you can also grant the sub-account the permission to call a custom role and control the sub-account permissions with refined permission policies in the custom role. For more information, please see Configuring Role for Specified Operation.
Policy | Description |
---|---|
QcloudCOSFullAccess | Full access to COS |
QcloudSCFFullAccess | Full access to SCF |
QcloudSSLFullAccess | Full access to SSL Certificate Service |
QcloudTCBFullAccess | Full access to TCB |
QcloudAPIGWFullAccess | Full access to API Gateway |
QcloudVPCFullAccess | Full access to VPC |
QcloudMonitorFullAccess | Full access to Cloud Monitor |
QcloudSLSFullAccess | Full access to SLS (Serverless Framework) |
QcloudCDNFullAccess | Full access to CDN |
QcloudCKafkaFullAccess | Full access to CKafka |
QcloudCodingFullAccess | Full access to CODING DevOps |
QcloudPostgreSQLFullAccess | Full access to TencentDB for PostgreSQL |
QcloudAccessForSLSRole | This policy can be associated with the Serverless Framework (SLS) service role (SLS_QCSRole) for SLS' quick experience feature to access other Tencent Cloud service resources. It contains permissions of CAM-related operations. |
Note:
The full access to SLS (Serverless Framework) is a new permission added to the new version of Serverless Framework. If you use the key on a legacy version for deployment and want to switch to the new version, you need to delete the key and log in again.
Was this page helpful?