| title | description | position | category |
|---|---|---|---|
service field |
service field |
2 |
Yaml-Spec |
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| name | True | String | service name |
| description | False | String | A short description of the Service |
| internetAccess | False | Boolean | Set to true to allow the function to access the public network |
| tracingConfig | False | String | Link tracing, available values: Enable, Disable |
| role | False | String[Simple configuration]/Struct[Detailed configuration] | The RAM role that grants the permissions required by Function Compute, the usage scenarios include 1. Send the log generated by the function To the user's logstore 2. Generate a token for the function to access other cloud resources during execution |
| logConfig | False | Enum[simple configuration]/Struct[detailed configuration] | log configuration, the log generated by the function will be written to the logstore configured here |
| vpcConfig | False | Enum[simple configuration]/Struct[detailed configuration] | VPC configuration, after configuration, the function can access the specified VPC |
| nasConfig | False | Enum[simple configuration]/Struct[detailed configuration] | NAS configuration, after configuration, the function can access the specified NAS |
| vpcBinding | False | List<String> | Allow only the specified VPCs to access the function |
service:
name: unit-deploy-service
description: 'demo for fc-deploy component'
internetAccess: trueSystem Policy: AliyunFCFullAccess
Custom Policy
fc:GetService is optional by default.
{
"Version": "1",
"Statement": [
{
"Action": "fc:CreateService",
"Resource": "acs:fc:<region>:<account-id>:services/*",
"Effect": "Allow"
},
{
"Action": "fc:UpdateService",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
"Effect": "Allow"
},
{
"Action": "fc:GetService",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
"Effect": "Allow"
}
]
}Custom Policy
{
"Version": "1",
"Statement": [
{
"Action": "fc:DeleteService",
"Resource": "acs:fc:<region>:<account-id>:services/<serviceName>",
"Effect": "Allow"
}
]
}When the role parameter is a string, it can be: acs:ram::xxx:role/AliyunFcDefaultRole
When the role parameter is a structure, you can refer to:
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| name | True | String | Character name |
| policies | True | List<Struct> | list of policies |
Examples:
role:
name: roleName
policies:
- AliyunOSSFullAccess
- name: myPolicy
description: custom policy
statement:
- Effect: Allow
Action:
- log:ListProject
Resource:
- acs:log:*:*:project/*
System Policy: AliyunFCFullAccess, AliyunRAMFullAccess
{
"Statement": [
{
"Action": [
"ram:PassRole",
"ram:GetRole",
"ram:CreateRole",
"ram:ListPoliciesForRole",
"ram:AttachPolicyToRole",
"ram:GetPolicy",
"ram:CreatePolicy",
"ram:ListPolicyVersions",
"ram:CreatePolicyVersion",
"ram:DeletePolicyVersion"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Where policies represents a list of policies. When this field is used, the locally configured ak needs to have permission to create policies and roles. The elements in the list support strings and policy structures, which can be referred to:
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| name | True | String | Policy name |
| description | False | String | Policy description |
| statement | True | List<Struct> | Policy content list |
Among them, statement represents the list of policy content, and the structure of the elements in the list can be referred to:
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| Effect | True | String | Strategy effect, optional values are 'Allow' and 'Deny' |
| Action | True | List<String> | Policy Action |
| Resource | True | String/List<String> | Policy's target resource |
| Condition | False | Object | Condition of the policy |
When the logConfig parameter is a simple configuration, it can be: auto
When the logConfig parameter is a structure, you can refer to:
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| logstore | False | String | logstore name in loghub |
| project | False | String | project name in loghub |
| enableRequestMetrics | False | Boolean | RequestMetrics switch, value true/false |
| enableInstanceMetrics | False | Boolean | InstanceMetrics switch, value true/false |
| logBeginRule | False | String | Whether the log is split, the value is DefaultRegex/None |
| Examples: |
service:
name: unit-deploy-service
description: 'demo for fc-deploy component'
internetAccess: true
role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限
# logConfig: auto
logConfig:
project: XXX
logstore: XXXwhen logConfig is auto project name generation rule {accountID}-{region}-logproject logstore name generation rule 'fc-service-{serviceName}-logstore'.toLocaleLowerCase()
System policy: AliyunFCFullAccess, AliyunLogFullAccess
- when
logConfigis notauto
Custom Policy
{
"Statement": [
{
"Action": "ram:PassRole",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}- when
logConfgisauto
Custom Policy
{
"Version":"1",
"Statement":[
{
"Action":"ram:PassRole",
"Effect":"Allow",
"Resource":"*"
},
{
"Action":[
"log:GetProject",
"log:CreateProject"
],
"Resource":"acs:log:<region>:<account-id>:project/<project-name>",
"Effect":"Allow"
},
{
"Action":[
"log:CreateLogStore",
"log:GetIndex",
"log:GetLogStore",
"log:CreateIndex"
],
"Resource":"acs:log:<region>:<account-id>:project/<project-name>/logstore/<logstore-name>",
"Effect":"Allow"
}
]
}System Policy: AliyunLogFullAccess
Custom Policy
{
"Version":"1",
"Statement":[
{
"Action":"log:PostLogStoreLogs",
"Resource":"acs:log:<region>:<account-id>:project/<projectName>/logstore/<logstoreName>",
"Effect":"Allow"
}
]
}When the vpcConfig parameter is a simple configuration, it can be: auto
When the vpcConfig parameter is a structure, you can refer to:
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| securityGroupId | False | String | Security Group ID |
| vSwitchIds | False | List<String> | List of switch IDs |
| vpcId | False | String | VPC ID |
Examples:
service:
name: unit-deploy-service
description: 'demo for fc-deploy component'
internetAccess: true
role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限
# vpcConfig: auto
vpcConfig:
vpcId: xxx
securityGroupId: xxx
vswitchIds:
- vsw-xxxSystem Policy: AliyunFCFullAccess, AliyunVPCFullAccess, AliyunECSFullAccess
Deployment minimum permissions <[Service permissions reference](#Permissions required by sub-accounts)>
- when
vpcConfigis notauto
Custom Policy
{
"Statement":[
{
"Action":"ram:PassRole",
"Effect":"Allow",
"Resource": "*"
}
],
"Version": "1"
}- when
vpcConfigisauto
System Policy: AliyunVPCReadOnlyAccess
Custom Policy
{
"Statement":[
{
"Action":"ram:PassRole",
"Effect":"Allow",
"Resource":"*"
},
{
"Action":"fc:GetAccountSettings",
"Effect":"Allow",
"Resource":"acs:fc:<region>:<account-id>:account-settings"
},
{
"Action":[
"vpc:CreateVpc",
"vpc:CreateVSwitch",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup"
],
"Effect":"Allow",
"Resource":"*"
}
],
"Version":"1"
}System Policy: AliyunECSNetworkInterfaceManagementAccess
When the nasConfig parameter is a simple configuration, it can be: auto
When the nasConfig parameter is a structure, you can refer to:
| Parameter Name | Required | Type | Parameter Description | | --------------------------- | ----- | --------------- ------------------------- | -------------------- | | mountPoints | False | List<Struct>[Multiple Directory Configuration] | Directory Configuration | | userId | False | String | userID, default is 10003 | | groupId | False | String | groupID, default is 10003 |
Examples:
service:
name: unit-deploy-service
description: 'demo for fc-deploy component'
internetAccess: true
role: <role-arn> # role 为已配置好的,配置内容参考服务角色权限
vpcConfig:
vpcId: xxx
securityGroupId: xxx
vswitchIds:
- vsw-xxx
nasConfig:
userId: 10003
groupId: 10003
mountPoints:
- serverAddr: xxx-xxx.cn-shenzhen.nas.aliyuncs.com
nasDir: /unit-deploy-service
fcDir: /mnt/autoSystem Policy: AliyunFCFullAccess, AliyunVPCFullAccess, AliyunNasFullAccess
- when
nasConfigis notauto
Custom Policy
{
"Statement":[
{
"Action":"ram:PassRole",
"Effect":"Allow",
"Resource": "*"
}
],
"Version": "1"
}- when
nasConfigisauto
System Policy: AliyunNasReadOnlyAccess
Custom Policy
{
"Statement":[
{
"Action":"fc:GetAccountSettings",
"Effect":"Allow",
"Resource":"acs:fc:<region>:<account-id>:account-settings"
},
{
"Action":[
"fc:UpdateService",
"fc:CreateService"
],
"Effect":"Allow",
"Resource":"acs:fc:<region>:<account-id>:services/*"
},
{
"Action":[
"fc:InvokeFunction",
"fc:CreateFunction",
"fc:UpdateFunction"
],
"Effect":"Allow",
"Resource":"acs:fc:<region>:<account-id>:services/*/functions/*"
},
{
"Action":[
"fc:UpdateTrigger",
"fc:CreateTrigger"
],
"Effect":"Allow",
"Resource":"acs:fc:<region>:<account-id>:services/*/functions/*/triggers/*"
},
{
"Action":"ram:PassRole",
"Effect":"Allow",
"Resource":"*"
},
{
"Action":[
"nas:CreateMountTarget",
"nas:DescribeMountTargets",
"nas:DescribeFileSystems",
"nas:CreateFileSystem",
"vpc:DescribeVSwitchAttributes"
],
"Effect":"Allow",
"Resource":"*"
}
],
"Version":"1"
}System Policy: AliyunECSNetworkInterfaceManagementAccess
| Parameter Name | Required | Type | Parameter Description |
|---|---|---|---|
| serverAddr | False | String | NAS server address |
| nasDir | False | String | NAS directory |
| fcDir | False | String | Function calculation directory |
Link tracking, possible values: Enable, Disable
Examples
service:
name: unit-deploy-service
description: 'demo for fc-deploy component'
internetAccess: true
tracingConfig: EnableSystem policy: AliyunFCFullAccess, AliyunTracingAnalysisReadOnlyAccess
{
"Statement":[
{
"Action":"ram:PassRole",
"Effect":"Allow",
"Resource":"*"
}
],
"Version":"1"
}