Configuring Agency Permissions

This section describes how to create, configure, and modify agency permissions for functions.

Scenarios

Create an agency to authorize FunctionGraph to access other cloud services, and configure agency permissions for functions.

For details about how to configure agency permissions for common function scenarios, see Common Permissions.

Default Agency

If you do not have any agency in your Huawei Cloud account, FunctionGraph provides you with a default one.

The default agency contains some of the cloud resource permissions required by FunctionGraph, as shown in Table 1. For details about the fine-grained minimum permissions of related services, see Table 4.

**Table 1** Default agency permissions
Permission	Description
fgs_default_region_role	Project-level service policy which includes the minimum permission set for Virtual Private Cloud (VPC) and Scalable File Service (SFS).
fgs_default_global_role	Global service policy which includes the minimum permission set of Identity and Access Management (IAM) and Object Storage Service (OBS).
SWR Admin	SoftWare Repository for Container (SWR) administrator with full permissions.
DIS User	Permissions to use Data Ingestion Service (DIS) streams.

The following are the three ways to create a default agency:

Method 1: Pop-up box

When you log in to the FunctionGraph console for the first time, no function and default agency is available. On the Dashboard page, a dialog box is displayed, asking you whether to create a default agency. Click Create and Authorize. The default agency named fgs_default_agency is automatically created.
Figure 1 Pop-up box

Method 2: Creating a default agency when creating a function

When creating a function, select Create Default Agency from the Agency drop-down list as shown in Figure 2. Then the Authorization dialog box is displayed. Click OK to create a default agency named fgs_default_agency.
Figure 2 Creating a default agency when creating a function

Method 3: Creating a default agency in Permissions

Choose Configuration > Permissions on the function details page, and select Create Default Agency as shown in Figure 3. In the displayed dialog box, click OK to create a default agency named fgs_default_agency.
Figure 3 Creating a default agency in Permissions

After a default agency is created, you will not be prompted to do so again.

Creating a Function Agency

To configure a function to access resources in a VPC, you need to create an agency for FunctionGraph and grant the agency the permission to access VPC.

Log in to theIAM console.
In the navigation pane, choose Agencies and click Create Agency in the upper right corner.

Figure 4 Creating an agency
Configure agency parameters. After the parameters are configured, as shown in Figure 5, click OK. The system displays a message indicating that the creation is successful. Click Authorize.
- Agency Name: Enter a name, for example, serverless-trust.
- Agency Type: Select Cloud service.
- Cloud Service: Select FunctionGraph.
- Validity Period: Select Unlimited. You can set this parameter based on service requirements.
- Description (Optional): Enter a description.
Figure 5 Setting basic information

On the Select Policy/Role page, search for the required permissions in the search box on the right and select them. The following uses VPC Administrator as an example. Figure 6 shows the details. Click Next.

Figure 6 Selecting policies
Click to enlarge

**Table 2** Example of agency permissions
Policy Name	Scenario
VPC Administrator	VPC administrator

On the Select Scope page, select Region-specific projects and the required region as shown in Figure 7. Click OK. The authorization success page is displayed.

Figure 7 Selecting the required permissions

If the default policies do not meet your requirements, you can create custom policies in the visual editor or JSON view, and attach custom policies to user groups for refined access control. For details, see Creating Custom Policies.

Configuring an Agency

Log in to the FunctionGraph console. In the navigation pane, choose Functions > Function List.
Click the function to be configured to go to the function details page.

Choose Configuration > Permissions and configure an agency by referring to Table 3. Click Save.

**Table 3** Agency configuration parameters
Parameter	Description
Configuration Agency	Select the created agency from the drop-down list. If no agency is available, click Create Agency on the right to go to the IAM page. For details, see Creating a Function Agency.
Execution Agency	This parameter is displayed when you select Specify an exclusive agency for function execution as shown in Figure 8. After the configuration, you can obtain the token or SecurityAccessKey, SecuritySecretKey, and SecurityToken with the permissions through the context parameter in the function handler method to access other cloud services. For details about the code example, see 2. The execution agency can be configured independently to ensure clear management of agency permissions. Figure 8 Setting agencies

Modifying a Function Agency

To modify the permissions, validity period, and description of an agency, you need to modify the corresponding FunctionGraph agency on the IAM console as shown in Figure 9.

Figure 9 Modifying a function agency
Click to enlarge

After an agency is modified, it takes about 10 minutes for the modification (for example, context.getSecurityToken()) to take effect. The agency information obtained using the context method is valid for 24 hours. Refresh it before it expires.

Common Permissions

To use the scenarios specified by Table 4, that is, to work with other services, create and configure an agency. For details, see Creating a Function Agency and Configuring an Agency.

When creating an agency, you need to adjust the granted permission type based on the actual service requirements. In the production environment, you are advised to adjust the permission type to the fine-grained minimum permission to ensure that the service running requirements are met and the potential risks of excessive permissions are effectively reduced.

**Table 4** Common permissions
Scenario	Policy Name	Description	Fine-Grained Minimum Permission
Using a custom image	SWR Admin	SoftWare Repository for Container (SWR) administrator with full permissions. For how to create a custom image, see Creating a Function with an Image.	Unavailable
Mounting an SFS Turbo file system	SFS Turbo ReadOnlyAccess	Read-only permissions for SFS Turbo. For details about how to mount an SFS Turbo file system, see Mounting an SFS Turbo file system.	sfsturbo:shares:getShare (Query details about a file system) sfsturbo:shares:showFsDir (Check whether a directory exists)
Mounting an ECS shared directory	ECS ReadOnlyAccess	Read-only permissions for ECS. For details about how to mount an ECS shared directory, see Mounting an ECS Shared Directory.	ecs:cloudServers:get (Query details about an ECS)
Configuring a reserved instance policy	AOM ReadOnlyAccess	Read-only permissions for AOM.	aom:metric:get (Query a metric) aom:metric:list (Query metric list)
Configuring a reserved instance policy	FunctionGraph ReadOnlyAccess	This policy grants read-only permissions for FunctionGraph.	functiongraph:function:getConfig (Query function configurations.)
Using a DIS trigger	DIS Administrator	Administrator who has all permissions for the DIS service. For details about how to create a DIS trigger, see Data Ingestion Service (DIS) Trigger.	Unavailable
Using DMS triggers	DMS ReadOnlyAccess	Read-only permissions for DMS	dms:instance:get (Query instance details)
Configuring cross-domain VPC access	VPC Administrator	VPC administrator has all permissions on all resources in the VPC. For details about how to configure cross-domain VPC access, see Configuring VPC Access.	vpc:ports:get (Query a port) vpc:ports:create (Create a port) vpc:vpcs:get (Query a VPC) vpc:subnets:get (Query a subnet) vpc:vips:delete (Unbind a virtual IP address from a VM) vpc:securityGroups:get (Query security groups or details about a security group)
DNS Resolution	DNS ReadOnlyAccess	Read-only permissions for DNS. Users granted these permissions can only view DNS resources. For details about how to call the DNS API to resolve private domain names, see How Does FunctionGraph Resolve a Private DNS Domain Name?	dns:recordset:get (Query a record set) dns:zone:get (Query a tenant zone) dns:recordset:list (Query record set list) dns:zone:list (Query the zone list)
Configuring asynchronous notification	If the target service is OBS: OBS Administrator	OBS administrator has all permissions for OBS. For details about how to configure asynchronous notification, see Asynchronous Notification Policy.	obs:bucket:HeadBucket (Obtain bucket metadata) obs:bucket:CreateBucket (Create a bucket) obs:object:PutObject (Upload objects using PUT method, upload objects using POST method, copy objects, append an object, initialize a multipart task, upload parts, and merge parts)
	If the target service is SMN: SMN Administrator	SMN administrator has all permissions for SMN. For details about how to configure asynchronous notification, see Asynchronous Notification Policy.	smn:topic:publish (Publish a message) smn:topic:list (Query the topic list)
	If the target service is DIS: DIS Administrator	Administrator who has all permissions for the DIS service. For details about how to configure asynchronous notification, see Asynchronous Notification Policy.	Unavailable
Using an OBS bucket	OBS Administrator	OBS administrator has all permissions for OBS.	obs:bucket:GetBucketLocation (Query a bucket location) obs:bucket:ListAllMyBuckets (Query buckets) obs:bucket:GetBucketNotification (Obtain the event notification configuration of a bucket) obs:bucket:PutBucketNotification (Configure event notifications for a bucket)