- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Quota Management
- Managing Functions
- Web Function Management
- Log Management
- Concurrence Management
- Trigger Management
- A Custom Domain Name
- Version Management
- Alias Management
- Permission Management
- Managing Monitors and Alarms
- Network Configuration
- Layer Management
- Execution Configuration
- Extended Storage Management
- DNS Caching Configuration
- Resource Managed Mode Management
- Triggers
- Development Guide
- Developer Tools
- Code Development
- Web Framework Development
- Deploying Framework on Command Line
- Quickly Deploying Egg Framework
- Quickly Deploying Express Framework
- Quickly Deploying Flask Framework
- Quickly Deploying Koa Framework
- Quickly Deploying Laravel Framework
- Quickly Deploying Nest.js Framework
- Quickly Deploying Next.js Framework
- Quickly Deploying Nuxt.js Framework
- Quickly Deploying Django Framework
- Practical Tutorial
- Overview
- Solutions with Tencent Cloud Services
- Business Development
- ServerlessFramework Practices
- API Gateway
- TRTC Practices
- COS Practices
- CKafka Practice
- CLS
- CLB Practice
- MPS
- CDN
- CDWPG
- VOD
- SMS
- ES
- Scheduled Task
- Video Processing
- Success Stories
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Trigger APIs
- Function APIs
- Invoke
- UpdateFunctionConfiguration
- UpdateFunctionCode
- ListFunctions
- GetFunctionLogs
- GetFunction
- DeleteFunction
- CreateFunction
- CopyFunction
- PublishVersion
- ListVersionByFunction
- GetFunctionAddress
- DeleteAlias
- UpdateAlias
- ListAliases
- GetAlias
- CreateAlias
- PutTotalConcurrencyConfig
- PutReservedConcurrencyConfig
- PutProvisionedConcurrencyConfig
- GetReservedConcurrencyConfig
- GetProvisionedConcurrencyConfig
- DeleteReservedConcurrencyConfig
- DeleteProvisionedConcurrencyConfig
- UpdateFunctionEventInvokeConfig
- GetFunctionEventInvokeConfig
- InvokeFunction
- GetRequestStatus
- Namespace APIs
- Layer Management APIs
- Async Event Management APIs
- Other APIs
- Data Types
- Error Codes
- Function and Layer Status Description
- SDK Documentation
- FAQs
- Related Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Quota Management
- Managing Functions
- Web Function Management
- Log Management
- Concurrence Management
- Trigger Management
- A Custom Domain Name
- Version Management
- Alias Management
- Permission Management
- Managing Monitors and Alarms
- Network Configuration
- Layer Management
- Execution Configuration
- Extended Storage Management
- DNS Caching Configuration
- Resource Managed Mode Management
- Triggers
- Development Guide
- Developer Tools
- Code Development
- Web Framework Development
- Deploying Framework on Command Line
- Quickly Deploying Egg Framework
- Quickly Deploying Express Framework
- Quickly Deploying Flask Framework
- Quickly Deploying Koa Framework
- Quickly Deploying Laravel Framework
- Quickly Deploying Nest.js Framework
- Quickly Deploying Next.js Framework
- Quickly Deploying Nuxt.js Framework
- Quickly Deploying Django Framework
- Practical Tutorial
- Overview
- Solutions with Tencent Cloud Services
- Business Development
- ServerlessFramework Practices
- API Gateway
- TRTC Practices
- COS Practices
- CKafka Practice
- CLS
- CLB Practice
- MPS
- CDN
- CDWPG
- VOD
- SMS
- ES
- Scheduled Task
- Video Processing
- Success Stories
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Trigger APIs
- Function APIs
- Invoke
- UpdateFunctionConfiguration
- UpdateFunctionCode
- ListFunctions
- GetFunctionLogs
- GetFunction
- DeleteFunction
- CreateFunction
- CopyFunction
- PublishVersion
- ListVersionByFunction
- GetFunctionAddress
- DeleteAlias
- UpdateAlias
- ListAliases
- GetAlias
- CreateAlias
- PutTotalConcurrencyConfig
- PutReservedConcurrencyConfig
- PutProvisionedConcurrencyConfig
- GetReservedConcurrencyConfig
- GetProvisionedConcurrencyConfig
- DeleteReservedConcurrencyConfig
- DeleteProvisionedConcurrencyConfig
- UpdateFunctionEventInvokeConfig
- GetFunctionEventInvokeConfig
- InvokeFunction
- GetRequestStatus
- Namespace APIs
- Layer Management APIs
- Async Event Management APIs
- Other APIs
- Data Types
- Error Codes
- Function and Layer Status Description
- SDK Documentation
- FAQs
- Related Agreement
- Contact Us
- Glossary
Operation Scenarios
Role is a virtual identity with a set of permissions provided by CAM, which is mainly used to grant access permissions of services, operations, and resources in Tencent Cloud to role entities. After these permissions are added to a role, the role can be configured to Tencent Cloud services, allowing the services to perform operations on authorized resources on your behalf.
When creating an SCF function, you may need the permissions to manipulate other Tencent Cloud services. Examples include COS permissions to create and delete COS triggers, API Gateway permissions to create and delete API Gateway triggers, and COS permissions to read zipped code packages.
Role Details
- Role name:
SCF_QcsRole - Role entity:
service-scf.qcloud.com - Role description: default configuration role of SCF. This service role is used to grant the SCF configuration the permissions to connect with other resources in the cloud, including but not limited to code file access and trigger configuration. The preset policy of the configuration role can support basic operations of function execution.
- Role policy: this role has the
QcloudAccessForScfRolepolicy that can:- Write trigger configuration information to the bucket configuration if a COS trigger is configured.
- Read the trigger configuration information from the COS bucket.
- Read the code zip package from the bucket when the code is updated through COS.
- Create API Gateway services and APIs and publish services if an API Gateway trigger is configured.
You can log in to the CAM Console to view and modify the policy associated with the current configuration role
SCF_QcsRole; however, modifying the associated policy of the role may cause SCF to fail; therefore, you are not recommended to modify it.
Directions
The SCF_QcsRole role is used to grant SCF the permissions to read and manipulate user resources during configuration. If you receive an error for missing role or permission when managing functions (such as using TCCLI or VS Code plugin to update function code), you need to configure the SCF_QcsRole role.
If you are currently a sub-user/collaborator, authorization should be performed by the root account in the following steps. After the authorization is completed, both the root account and sub-user can log in and use the SCF service.
- If you are using SCF for the first time, you will be prompted for service authorization when you open the SCF Console as shown below:
- Select Go to CAM to enter the "Role Management" page and click Agree to Authorize to confirm the authorization as shown below:
- After the authorization is confirmed, the role
SCF_QcsRolewill be automatically created for you as shown below:
Appendix
Notes on user policy update
SCF improved the preset permission policies in April 2020. The preset policies QcloudSCFFullAccess and QcloudSCFReadOnlyAccess were modified, and the QcloudAccessForScfRole policy was added for the configuration role SCF_QcsRole as shown below:
- Currently, the preset policy
QcloudSCFFullAccesshas the following permissions:{ "version":"2.0", "statement":[ { "action":[ "scf:*", "tag:*", "cam:DescribeRoleList", "cam:GetRole", "cam:ListAttachedRolePolicies", "apigw:DescribeServicesStatus", "apigw:DescribeService", "apigw:DescribeApisStatus", "cmqtopic:ListTopicDetail", "cmqqueue:ListQueueDetail", "cmqtopic:GetSubscriptionAttributes", "cmqtopic:GetTopicAttributes", "cos:GetService", "cos:HeadBucket", "cos:HeadObject", "vpc:DescribeVpcEx", "vpc:DescribeSubnetEx", "cls:getTopic", "cls:getLogset", "cls:listLogset", "cls:listTopic", "ckafka:List*", "ckafka:Describe*", "monitor:GetMonitorData", "monitor:DescribeBasicAlarmList", "monitor:DescribeBaseMetrics", "monitor:DescribeSortObjectList", "monitor:DescribePolicyConditionList", "cdb:DescribeDBInstances" ], "resource":"*", "effect":"allow" } ] } - Currently, the preset policy
QcloudSCFReadOnlyAccesshas the following permissions:{ "version": "2.0", "statement": [ { "action": [ "scf:Get*", "scf:List*", "ckafka:List*", "ckafka:Describe*", "monitor:GetMonitorData", "monitor:DescribeBasicAlarmList", "monitor:DescribeBaseMetrics", "monitor:DescribeSortObjectList", "cam:GetRole", "cam:ListAttachedRolePolicies", "vpc:DescribeVpcEx", "vpc:DescribeSubnetEx", "cls:getLogset", "cls:getTopic", "cls:listTopic", "apigw:DescribeService", "cmqtopic:GetTopicAttributes", "cmqtopic:GetSubscriptionAttributes", "cos:HeadBucket", "cos:GetService", "cos:GetObject" ], "resource": "*", "effect": "allow" } ] } - Currently, the preset policy
QcloudAccessForScfRolehas the following permissions:{ "version": "2.0", "statement": [ { "action": [ "ckafka:List*", "ckafka:Describe*", "ckafka:AddRoute", "ckafka:CreateRoute", "apigw:ReleaseService", "apigw:CreateService", "apigw:CreateApi", "apigw:DeleteApi", "cls:*", "cos:List*", "cos:Get*", "cos:Head*", "cos:PutBucket", "cos:OptionsObject", "cmqqueue:*", "cmqtopic:*" ], "resource": "*", "effect": "allow" } ] }QcloudAccessForScfRolecan:- Write trigger configuration information to the bucket configuration if a COS trigger is configured.
- Read the trigger configuration information from the COS bucket.
- Read the code zip package from the bucket when the code is updated through COS.
- Create API Gateway services and APIs and publish services if an API Gateway trigger is configured.
- Create consumers if a CKafka trigger is configured.
Yes
No
Was this page helpful?