Configuring Agency Permissions

Overview

FunctionGraph works with other cloud services in most scenarios. Create a cloud service agency so that FunctionGraph can perform resource O&M in other cloud services on your behalf.

Scenario

Before using FunctionGraph in the following scenarios, create an agency. Adjust the permissions granted to the agency to meet your service requirements. For example, grant the Admin permission in the development phase, and change it to the fine-grained minimum permission in the product environment. This ensures the required permissions while eliminating risks. Select the required action by referring to Table 1.

Table 1 Common actions

Scenario

Admin Permission

Fine-Grained Minimum Permission

Description

Using a custom image

SWR Admin

Unavailable

SWR Admin: administrator who has all permissions for the SoftWare Repository for Container (SWR) service.

For details about how to create a custom image, see Deploying a Function Using a Container Image.

Mounting an SFS Turbo file system

SFS Administrator or Tenant administrator

sfsturbo:shares:getShare (Query details about a file system)

SFS Administrator: administrator who has all permissions for the Scalable File Service (SFS) service.

Tenant administrator: administrator for all cloud services except IAM. This user can perform any operations on all cloud resources of the enterprise.

sfsturbo:shares:getShare: permission for querying a file system in SFS.

For details about how to mount an SFS Turbo file system, see Mounting an SFS Turbo File System.

Mounting an ECS shared directory

Tenant Guest and VPC Administrator

ecs:cloudServers:get (Query details about an ECS)

Tenant Guest: user with read-only permissions for all cloud services (except IAM)

VPC Administrator: network administrator

ecs:cloudServers:get: permission for querying an ECS.

For details about how to mount an ECS shared directory, see Mounting an ECS Shared Directory.

Using a DIS trigger

DIS Administrator

Unavailable

Administrator who has all permissions for the DIS service.

For details about how to create a DIS trigger, see Using a DIS Trigger.

Configuring cross-domain VPC access

VPC Administrator

vpc:ports:delete (Delete a port)

vpc:ports:get (Query a port)

vpc:ports:create (Create a port)

vpc:vpcs:get (Query a VPC)

vpc:subnets:get (Query a subnet)

Users with the VPC Administrator permissions can perform any operations on all cloud resources of the VPC. To configure cross-VPC access, specify an agency with VPC management permissions.

Fine-grained minimum permission for VPC: permission for deleting, querying, or creating a port, or querying a VPC or subnet.

For details about how to configure cross-domain VPC access, see Configuring the Network.

Creating an OBS bucket and trigger

Tenant Administrator

obs:bucket:GetBucketLocation (Query a bucket location)

obs:bucket:ListAllMyBuckets (Query buckets)

obs:bucket:GetBucketNotification (Obtain the event notification configuration of a bucket)

obs:bucket:PutBucketNotification (Configure event notifications for a bucket)

Tenant administrator: administrator for all cloud services except IAM. This user can perform any operations on all cloud resources of the enterprise.

Fine-grained minimum permission for OBS: permission for querying a bucket location, buckets, or the event notification configuration of a bucket, or configuring event notifications for a bucket.

For details about how to create an OBS trigger, see Using an OBS Trigger.

Creating an Agency

Note

In the following example, the Tenant Administrator permission is assigned to FunctionGraph and this setting takes effect only in the authorized regions.

Create an agency by referring to section "Creating an Agency" and set parameters as follows:

  1. Log in to the IAM console.

  2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency in the upper right corner.

    **Figure 1** Creating an agency

    Figure 1 Creating an agency

  3. Configure the agency.

    **Figure 2** Setting basic information

    Figure 2 Setting basic information

    • For Agency Name, enter serverless-trust.

    • For Agency Type, select Cloud service.

    • For Cloud Service, select FunctionGraph.

    • For Validity Period, select Unlimited.

    • Description: Enter the description.

  1. Click Next. On the displayed page, search for the permissions to be added in the search box on the right and select the permissions. The Tenant Administrator permission is used as an example.

    **Figure 3** Selecting policies

    Figure 3 Selecting policies

    Table 2 Example of agency permissions

    Policy Name

    Scenario

    Tenant Administrator

    Administrator for all cloud services except IAM. This user can perform any operations on all cloud resources of the enterprise.

  2. Click Next and select the scope.

    **Figure 4** Selecting the required permissions

    Figure 4 Selecting the required permissions

Configuring an Agency

  1. In the left navigation pane of the management console, choose Compute > FunctionGraph. On the FunctionGraph console, choose Functions > Function List from the navigation pane.

  2. Click the function to be configured to go to the function details page.

  3. Choose Configuration > Permissions, click Create Agency, and set an agency based on site requirements by referring to 2-5.

    Table 3 Agency configuration parameters

    Parameter

    Description

    Configuration Agency

    Select a function that you have created.

    Execution Agency

    Mandatory if you select Specify an exclusive agency for function execution.

    Note

    • To ensure optimal performance, select Specify an exclusive agency for function execution and set different agencies for function configuration and execution. You can also use no agency or specify the same agency for both purposes. Figure 5 shows the agency options.

      **Figure 5** Setting agencies

      Figure 5 Setting agencies

    • Configuration Agency: For example, to create Data Ingestion Service (DIS) triggers, first specify an agency with DIS permissions. If such an agency is not specified or the specified agency does not exist, no DIS triggers can be created.

    • Execution Agency: This type of agency enables you to obtain a token and AK/SK from the context in the function handler for accessing other cloud services.

  1. Click Save.

Modifying an Agency

Modifying an agency: You can modify the permissions, validity period, and description of an agency on the IAM console.

Caution

  • After an agency is modified, it takes about 10 minutes for the modification (for example, context.getToken) to take effect.

  • The agency information obtained using the context method is valid for 24 hours. Refresh it before it expires.