- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Quota Management
- Managing Functions
- Web Function Management
- Log Management
- Concurrence Management
- Trigger Management
- A Custom Domain Name
- Version Management
- Alias Management
- Permission Management
- Managing Monitors and Alarms
- Network Configuration
- Layer Management
- Execution Configuration
- Extended Storage Management
- DNS Caching Configuration
- Resource Managed Mode Management
- Triggers
- Development Guide
- Developer Tools
- Code Development
- Web Framework Development
- Deploying Framework on Command Line
- Quickly Deploying Egg Framework
- Quickly Deploying Express Framework
- Quickly Deploying Flask Framework
- Quickly Deploying Koa Framework
- Quickly Deploying Laravel Framework
- Quickly Deploying Nest.js Framework
- Quickly Deploying Next.js Framework
- Quickly Deploying Nuxt.js Framework
- Quickly Deploying Django Framework
- Practical Tutorial
- Overview
- Solutions with Tencent Cloud Services
- Business Development
- ServerlessFramework Practices
- API Gateway
- TRTC Practices
- COS Practices
- CKafka Practice
- CLS
- CLB Practice
- MPS
- CDN
- CDWPG
- VOD
- SMS
- ES
- Scheduled Task
- Video Processing
- Success Stories
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Trigger APIs
- Function APIs
- CopyFunction
- Invoke
- UpdateFunctionConfiguration
- UpdateFunctionCode
- ListFunctions
- GetFunctionLogs
- GetFunction
- DeleteFunction
- CreateFunction
- PublishVersion
- ListVersionByFunction
- GetFunctionAddress
- DeleteAlias
- UpdateAlias
- ListAliases
- GetAlias
- CreateAlias
- PutTotalConcurrencyConfig
- PutReservedConcurrencyConfig
- PutProvisionedConcurrencyConfig
- GetReservedConcurrencyConfig
- GetProvisionedConcurrencyConfig
- DeleteReservedConcurrencyConfig
- DeleteProvisionedConcurrencyConfig
- UpdateFunctionEventInvokeConfig
- GetFunctionEventInvokeConfig
- InvokeFunction
- GetRequestStatus
- Namespace APIs
- Layer Management APIs
- Async Event Management APIs
- Other APIs
- Function and Layer Status Description
- Data Types
- Error Codes
- SDK Documentation
- FAQs
- Related Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Quota Management
- Managing Functions
- Web Function Management
- Log Management
- Concurrence Management
- Trigger Management
- A Custom Domain Name
- Version Management
- Alias Management
- Permission Management
- Managing Monitors and Alarms
- Network Configuration
- Layer Management
- Execution Configuration
- Extended Storage Management
- DNS Caching Configuration
- Resource Managed Mode Management
- Triggers
- Development Guide
- Developer Tools
- Code Development
- Web Framework Development
- Deploying Framework on Command Line
- Quickly Deploying Egg Framework
- Quickly Deploying Express Framework
- Quickly Deploying Flask Framework
- Quickly Deploying Koa Framework
- Quickly Deploying Laravel Framework
- Quickly Deploying Nest.js Framework
- Quickly Deploying Next.js Framework
- Quickly Deploying Nuxt.js Framework
- Quickly Deploying Django Framework
- Practical Tutorial
- Overview
- Solutions with Tencent Cloud Services
- Business Development
- ServerlessFramework Practices
- API Gateway
- TRTC Practices
- COS Practices
- CKafka Practice
- CLS
- CLB Practice
- MPS
- CDN
- CDWPG
- VOD
- SMS
- ES
- Scheduled Task
- Video Processing
- Success Stories
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Trigger APIs
- Function APIs
- CopyFunction
- Invoke
- UpdateFunctionConfiguration
- UpdateFunctionCode
- ListFunctions
- GetFunctionLogs
- GetFunction
- DeleteFunction
- CreateFunction
- PublishVersion
- ListVersionByFunction
- GetFunctionAddress
- DeleteAlias
- UpdateAlias
- ListAliases
- GetAlias
- CreateAlias
- PutTotalConcurrencyConfig
- PutReservedConcurrencyConfig
- PutProvisionedConcurrencyConfig
- GetReservedConcurrencyConfig
- GetProvisionedConcurrencyConfig
- DeleteReservedConcurrencyConfig
- DeleteProvisionedConcurrencyConfig
- UpdateFunctionEventInvokeConfig
- GetFunctionEventInvokeConfig
- InvokeFunction
- GetRequestStatus
- Namespace APIs
- Layer Management APIs
- Async Event Management APIs
- Other APIs
- Function and Layer Status Description
- Data Types
- Error Codes
- SDK Documentation
- FAQs
- Related Agreement
- Contact Us
- Glossary
Policy Syntax
You can create custom policies by using JSON syntax. SCF policies follow the CAM syntax structure and resource description method. You can check Creating Custom Policy for the direction. All resources are described in the six-segment style, as shown in the sample below:
qcs::scf:region:uin/uin—id:namespace/namespace-name/function/function-name
Note:
To configure the policy syntax, you also need to use the monitor APIs to get the monitoring information under the account (See sample policy).
Sample Policies
{"version":"2.0","statement":[{"effect":"allow","action":["scf:ListFunctions","scf:GetAccountSettings","monitor:*"],"resource":["*"]},{"effect": "allow","action":["scf:DeleteFunction","scf:CreateFunction","scf:InvokeFunction","scf:UpdateFunction","scf:GetFunctionLogs","scf:SetTrigger","scf:DeleteTrigger","scf:GetFunction","scf:ListVersion"],"resource":["qcs::scf:ap-guangzhou:uin/******:namespace/default/function/Test1","qcs::scf:ap-guangzhou:uin/******:namespace/default/function/Test2"]}]}
If the
action needs to be associated with a resource, the resource can be defined as *, indicating that all resources are to be associated.If the
action does not need to be associated with a resource, the resource needs to be defined as *.This sample allows the sub-account to have the operation permissions of certain functions under the root account. The resource in
resource is described as a function under the root account.Specifying Conditions
The access policy language allows you to specify conditions when granting permissions, such as limiting the user access source or authorization time. The list below contains supported condition operators as well as general condition keys and examples.
Condition Operator | Description | Condition Name | Example |
ip_equal | IP is equal to | qcs:ip | {"ip_equal":{"qcs:ip ":"10.121.2.0/24"}} |
ip_not_equal | IP is not equal to | qcs:ip | {"ip_not_equal":{"qcs:ip ":["10.121.1.0/24", "10.121.2.0/24"]}} |
date_not_equal | Time is not equal to | qcs:current_time | {"date_not_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_greater_than | Time is later than | qcs:current_time | {"date_greater_than":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_greater_than_equal | Time is later than or equal to | qcs:current_time | {"date_greater_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
date_less_than | Time is earlier than | qcs:current_time | {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}} |
date_less_than_equal | Time is earlier than or equal to | qcs:current_time | {"date_less_than":{"qcs:current_time":"2016-06-01T 00:01:00Z"}} |
date_less_than_equal | Time is earlier than or equal to | qcs:current_time | {"date_less_than_equal":{"qcs:current_time":"2016-06-01T00:01:00Z"}} |
To allow access only by IPs in the
10.121.2.0/24 IP range, use the following syntax:"ip_equal":{"qcs:ip ":"10.121.2.0/24"}
To allow access only by IPs
101.226.\\*\\*\\*.185 and 101.226.\\*\\*\\*.186, use the following syntax:"ip_equal":{"qcs:ip":["101.226.***.185","101.226.***.186"]}
User Policy Update
SCF improved the preset permission policies in April 2020. The preset policies
QcloudSCFFullAccess and QcloudSCFReadOnlyAccess were modified, and the QcloudAccessForScfRole policy was added for the configuration role SCF_QcsRole, as shown below:Preset policy QcloudSCFFullAccess
Current permissions:
{"version": "2.0","statement": [{"action":["scf:*","tag:*","cam:DescribeRoleList","cam:GetRole","cam:ListAttachedRolePolicies","apigw:DescribeServicesStatus","apigw:DescribeService","apigw:DescribeApisStatus","cmqtopic:ListTopicDetail","cmqqueue:ListQueueDetail","cmqtopic:GetSubscriptionAttributes","cmqtopic:GetTopicAttributes","cos:GetService","cos:HeadBucket","cos:HeadObject","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:getTopic","cls:getLogset","cls:listLogset","cls:listTopic","ckafka:List*","ckafka:Describe*","ckafka:ListInstance","monitor:GetMonitorData","monitor:DescribeBasicAlarmList","monitor:DescribeBaseMetrics","monitor:DescribeSortObjectList","monitor:DescribePolicyConditionList","cdb:DescribeDBInstances"],"resource": "*","effect": "allow"}]}
Preset policy QcloudSCFReadOnlyAccess
Current permissions:
{"version": "2.0","statement": [{"action":["scf:Get*","scf:List*","ckafka:List*","ckafka:Describe*","monitor:GetMonitorData","monitor:DescribeBasicAlarmList","monitor:DescribeBaseMetrics","monitor:DescribeSortObjectList","cam:GetRole","cam:ListAttachedRolePolicies","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","cls:getLogset","cls:getTopic","cls:listTopic","apigw:DescribeService","cmqtopic:GetTopicAttributes","cmqtopic:GetSubscriptionAttributes","cos:HeadBucket","cos:GetService","cos:GetObject"],"resource": "*","effect": "allow"}]}
Preset policy QcloudAccessForScfRole
Current permissions:
{"version": "2.0","statement": [{"action":["cos:GetBucket*","cos:HeadBucket","cos:PutBucket*","apigw:*","cls:*","cos:List*","cos:Get*","cos:Head*","cos:OptionsObject","cmqqueue:*","cmqtopic:*","ckafka:List*","ckafka:Describe*","ckafka:AddRoute","ckafka:CreateRoute"],"resource": "*","effect": "allow"}]}
The preset policy
QcloudAccessForScfRole can:Write trigger configuration information to the bucket configuration when a COS trigger is configured.
Read the trigger configuration information from the COS bucket.
Read the code zip package from the bucket when the code is updated through COS.
Create API Gateway services and APIs and publish services if an API Gateway trigger is configured.
Create consumers if a CKafka trigger is configured.
Yes
No
Was this page helpful?