Configuring Agency Permissions¶
Overview¶
FunctionGraph works with other cloud services in most scenarios. Create a cloud service agency so that FunctionGraph can perform resource O&M in other cloud services on your behalf.
Scenario¶
Before using FunctionGraph in the following scenarios, create an agency. Adjust the permissions granted to the agency to meet your service requirements. For example, grant the Admin permission in the development phase, and change it to the fine-grained minimum permission in the product environment. This ensures the required permissions while eliminating risks. Select the required action by referring to Table 1.
Scenario | Admin Permission | Fine-Grained Minimum Permission | Description |
---|---|---|---|
Using a custom image | SWR Admin | Unavailable | SWR Admin: administrator who has all permissions for the SoftWare Repository for Container (SWR) service. For details about how to create a custom image, see Deploying a Function Using a Container Image. |
Mounting an SFS Turbo file system | SFS Administrator or Tenant administrator | sfsturbo:shares:getShare (Query details about a file system) | SFS Administrator: administrator who has all permissions for the Scalable File Service (SFS) service. Tenant administrator: administrator for all cloud services except IAM. This user can perform any operations on all cloud resources of the enterprise. sfsturbo:shares:getShare: permission for querying a file system in SFS. For details about how to mount an SFS Turbo file system, see Mounting an SFS Turbo File System. |
Mounting an ECS shared directory | Tenant Guest and VPC Administrator | ecs:cloudServers:get (Query details about an ECS) | Tenant Guest: user with read-only permissions for all cloud services (except IAM) VPC Administrator: network administrator ecs:cloudServers:get: permission for querying an ECS. For details about how to mount an ECS shared directory, see Mounting an ECS Shared Directory. |
Using a DIS trigger | DIS Administrator | Unavailable | Administrator who has all permissions for the DIS service. For details about how to create a DIS trigger, see Using a DIS Trigger. |
Configuring cross-domain VPC access | VPC Administrator | vpc:ports:delete (Delete a port) vpc:ports:get (Query a port) vpc:ports:create (Create a port) vpc:vpcs:get (Query a VPC) vpc:subnets:get (Query a subnet) | Users with the VPC Administrator permissions can perform any operations on all cloud resources of the VPC. To configure cross-VPC access, specify an agency with VPC management permissions. Fine-grained minimum permission for VPC: permission for deleting, querying, or creating a port, or querying a VPC or subnet. For details about how to configure cross-domain VPC access, see Configuring the Network. |
Creating an OBS bucket and trigger | Tenant Administrator | obs:bucket:GetBucketLocation (Query a bucket location) obs:bucket:ListAllMyBuckets (Query buckets) obs:bucket:GetBucketNotification (Obtain the event notification configuration of a bucket) obs:bucket:PutBucketNotification (Configure event notifications for a bucket) | Tenant administrator: administrator for all cloud services except IAM. This user can perform any operations on all cloud resources of the enterprise. Fine-grained minimum permission for OBS: permission for querying a bucket location, buckets, or the event notification configuration of a bucket, or configuring event notifications for a bucket. For details about how to create an OBS trigger, see Using an OBS Trigger. |
Creating an Agency¶
Note
In the following example, the Tenant Administrator permission is assigned to FunctionGraph and this setting takes effect only in the authorized regions.
Create an agency by referring to section "Creating an Agency" and set parameters as follows:
Log in to the IAM console.
On the IAM console, choose Agencies from the navigation pane, and click Create Agency in the upper right corner.
Configure the agency.
For Agency Name, enter serverless-trust.
For Agency Type, select Cloud service.
For Cloud Service, select FunctionGraph.
For Validity Period, select Unlimited.
Description: Enter the description.
Click Next. On the displayed page, search for the permissions to be added in the search box on the right and select the permissions. The Tenant Administrator permission is used as an example.
¶ Policy Name
Scenario
Tenant Administrator
Administrator for all cloud services except IAM. This user can perform any operations on all cloud resources of the enterprise.
Click Next and select the scope.
Configuring an Agency¶
In the left navigation pane of the management console, choose Compute > FunctionGraph. On the FunctionGraph console, choose Functions > Function List from the navigation pane.
Click the function to be configured to go to the function details page.
Choose Configuration > Permissions, click Create Agency, and set an agency based on site requirements by referring to 2
-
5.¶ Parameter
Description
Configuration Agency
Select a function that you have created.
Execution Agency
Mandatory if you select Specify an exclusive agency for function execution.
Note
To ensure optimal performance, select Specify an exclusive agency for function execution and set different agencies for function configuration and execution. You can also use no agency or specify the same agency for both purposes. Figure 5 shows the agency options.
Configuration Agency: For example, to create Data Ingestion Service (DIS) triggers, first specify an agency with DIS permissions. If such an agency is not specified or the specified agency does not exist, no DIS triggers can be created.
Execution Agency: This type of agency enables you to obtain a token and AK/SK from the context in the function handler for accessing other cloud services.
Click Save.
Modifying an Agency¶
Modifying an agency: You can modify the permissions, validity period, and description of an agency on the IAM console.
Caution
After an agency is modified, it takes about 10 minutes for the modification (for example, context.getToken) to take effect.
The agency information obtained using the context method is valid for 24 hours. Refresh it before it expires.