腾讯云云函数使用教程 - SCF 策略语法
文档简介:
策略语法:
创建自定义策略流程可参考 CAM 的 创建自定义策略。SCF 的策略语法遵循 CAM 的 语法结构 和 资源描述方式,策略语法以 JSON 格式为基础,所有资源均可采用下述的六段式描述方式,示例如下:
咨询热线:400-826-7010,为您提供专业的售前咨询,让您快速了解云产品,助您轻松上云!
微信咨询
免费试用、价格特惠
策略语法
创建自定义策略流程可参考 CAM 的 创建自定义策略。SCF 的策略语法遵循 CAM 的 语法结构 和 资源描述方式,策略语法以 JSON 格式为基础,所有资源均可采用下述的六段式描述方式,示例如下:
qcs::scf:region:uin/uin—id:namespace/namespace-name/function/function-name
注意
在配置策略语法时,还需要配合使用 monitor 相关的接口以获得账号下的监控信息,使用方法请参考 策略示例。
策略示例
{"version":"2.0","statement":[{"effect":"allow","action":["scf:ListFunctions","scf:GetAccountSettings","monitor:*"],"resource":["*"]},{"effect": "allow","action":["scf:DeleteFunction","scf:CreateFunction","scf:InvokeFunction","scf:UpdateFunction","scf:GetFunctionLogs","scf:SetTrigger","scf:DeleteTrigger","scf:GetFunction","scf:ListVersion"],"resource":["qcs::scf:ap-guangzhou:uin/******:namespace/default/function/Test1","qcs::scf:ap-guangzhou:uin/******:namespace/default/function/Test2"]}]}
操作(action)为需要关联资源的操作时,resource 定义为*,表示关联所有资源。
操作(action)为不需要关联资源的操作时,resource 都需要定义为*。
该示例可以实现子账号拥有主账号下某些函数的操作权限,resource 中的资源描述为主账号下的某个函数。
指定条件
访问策略语言可使您在授予权限时指定条件。例如,限制用户访问来源或限制授权时间等。下面列出了目前支持的条件操作符列表、通用的条件键和示例等信息。
|
条件操作符
|
含义
|
条件名
|
示例
|
|
ip_equal
|
IP 等于
|
qcs:ip
|
{"ip_equal":{"qcs:ip ":"10.121.2.0/24"}}
|
|
ip_not_equal
|
IP 不等于
|
qcs:ip
|
{"ip_not_equal":{"qcs:ip ":["10.121.1.0/24", "10.121.2.0/24"]}}
|
|
date_not_equal
|
时间不等于
|
qcs:current_time
|
{"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
|
|
date_greater_than
|
时间大于
|
qcs:current_time
|
{"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
|
|
date_greater_than_equal
|
时间大于等于
|
qcs:current_time
|
{"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
|
|
date_less_than
|
时间小于
|
qcs:current_time
|
{"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
|
|
date_less_than_equal
|
时间小于等于
|
qcs:current_time
|
{"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}}
|
|
date_less_than_equal
|
时间小于等于
|
qcs:current_time
|
{"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}}
|
限制来访 IP 为 10.121.2.0/24 网段内。如下所示:
"ip_equal":{"qcs:ip ":"10.121.2.0/24"}
限制来访 IP 为 101.226.\*\*\*.185 和 101.226.\*\*\*.186。如下所示:
"ip_equal": {"qcs:ip": ["101.226.***.185","101.226.***.186"]}
用户策略更新说明
SCF 于2020年4月完善了预设策略权限,针对预设策略 QcloudSCFFullAccess 和 QcloudSCFReadOnlyAccess 完成修改,针对配置角色 SCF_QcsRole 添加了 QcloudAccessForScfRole 策略。详情如下:
预设策略 QcloudSCFFullAccess
当前权限如下:
{"version": "2.0","statement": [{"action": ["scf:*","tag:*","cam:DescribeRoleList","cam:GetRole","cam:ListAttachedRolePolicies","apigw:DescribeServicesStatus","apigw:DescribeService","apigw:DescribeApisStatus","cmqtopic:ListTopicDetail","cmqqueue:ListQueueDetail","cmqtopic:GetSubscriptionAttributes","cmqtopic:GetTopicAttributes","cos:GetService","cos:HeadBucket","cos:HeadObject","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:getTopic","cls:getLogset","cls:listLogset","cls:listTopic","ckafka:List*","ckafka:Describe*","ckafka:ListInstance","monitor:GetMonitorData","monitor:DescribeBasicAlarmList","monitor:DescribeBaseMetrics","monitor:DescribeSortObjectList","monitor:DescribePolicyConditionList","cdb:DescribeDBInstances"],"resource": "*","effect": "allow"}]}
预设策略 QcloudSCFReadOnlyAccess
当前权限如下:
{"version": "2.0","statement": [{"action": ["scf:Get*","scf:List*","ckafka:List*","ckafka:Describe*","monitor:GetMonitorData","monitor:DescribeBasicAlarmList","monitor:DescribeBaseMetrics","monitor:DescribeSortObjectList","cam:GetRole","cam:ListAttachedRolePolicies","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:getLogset","cls:getTopic","cls:listTopic","apigw:DescribeService","cmqtopic:GetTopicAttributes","cmqtopic:GetSubscriptionAttributes","cos:HeadBucket","cos:GetService","cos:GetObject"],"resource": "*","effect": "allow"}]}
预设策略 QcloudAccessForScfRole
当前权限如下:
{"version": "2.0","statement": [{"action": ["cos:GetBucket*","cos:HeadBucket","cos:PutBucket*","apigw:*","cls:*","cos:List*","cos:Get*","cos:Head*","cos:OptionsObject","cmqqueue:*","cmqtopic:*","ckafka:List*","ckafka:Describe*","ckafka:AddRoute","ckafka:CreateRoute"],"resource": "*","effect": "allow"}]}
预设策略 QcloudAccessForScfRole 具备以下功能:
配置 COS 对象存储触发器时,向 Bucket 配置中写入触发配置信息。
读取 COS 对象存储 Bucket 中的触发器配置信息。
在使用 COS 对象存储更新代码时,从 Bucket 完成代码 zip 包的读取操作。
配置 API 网关触发器时,完成 API 网关的服务、API 创建以及服务发布等操作。
配置 Ckafka 触发器时,完成创建消费者操作。
