Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ FunctionGraph/ User Guide/ Configuring Functions/ Configuring Agency Permissions

Configuring Agency Permissions

Updated on 2024-12-18 GMT+08:00

Overview

FunctionGraph works with other cloud services in most scenarios. Create a cloud service agency so that FunctionGraph can perform resource O&M in other cloud services on your behalf.

Scenario

Before using FunctionGraph in the following scenarios, create an agency. Adjust the permissions granted to the agency to meet your service requirements. For example, grant the Admin permission in the development phase, and change it to the fine-grained minimum permission in the product environment. This ensures the required permissions while eliminating risks. Select the required action by referring to Table 1.

Table 1 Common actions

Scenario

Admin Permission

Fine-Grained Minimum Permission

Description

Using a custom image

SWR Administrator

Unavailable

SWR Admin: administrator who has all permissions for the Software Repository for Container (SWR) service.

For details about how to create a custom image, see Deploying a Function Using a Container Image.

Mounting an SFS Turbo file system

SFS Turbo ReadOnlyAccess

sfsturbo:shares:getShare (Query details about a file system)

sfsturbo:shares:showFsDir (Check whether a directory exists)

SFS Turbo ReadOnlyAccess: read-only permissions for SFS Turbo.

sfsturbo:shares:getShare: permission for querying a file system in SFS.

sfsturbo:shares:showFsDir: permission for checking whether a directory exists in SFS.

For details about how to mount an SFS Turbo file system, see Mounting an SFS Turbo File System.

Mounting an ECS shared directory

ECS ReadOnlyAccess

ecs:cloudServers:get (Query details about an ECS)

ECS ReadOnlyAccess: read-only permissions for ECS.

ecs:cloudServers:get: permission for querying an ECS.

For details about how to mount an ECS shared directory, see Mounting an ECS Shared Directory.

Configuring a reserved instance policy

AOM ReadOnlyAccess

aom:metric:get (Query a metric)

aom:metric:list (Query metric list)

AOM ReadOnlyAccess: read-only permissions for AOM.

aom:metric:get: permissions for querying a metric in AOM.

aom:metric:list: permissions for querying metric list in AOM.

Using a DIS trigger

DIS Administrator

Unavailable

Administrator who has all permissions for the DIS service.

For details about how to create a DIS trigger, see Using a DIS Trigger.

Using a DMS trigger

DMS ReadOnlyAccess

dms:instance:get (Query instance details)

DMS ReadOnlyAccess: read-only permissions for DMS.

dms:instance:get: permissions for querying instance details in DMS.

Configuring cross-domain VPC access

VPC Administrator

vpc:ports:get (Query a port)

vpc:ports:create (Create a port)

vpc:vpcs:get (Query a VPC)

vpc:subnets:get (Query a subnet)

vpc:vips:delete (Unbind a virtual IP address from a VM)

vpc:securityGroups:get (Query security groups or details about a security group)

Users with the VPC Administrator permissions can perform any operations on all cloud resources of the VPC. To configure cross-VPC access, specify an agency with VPC management permissions.

Fine-grained minimum permission for VPC: permissions for unbinding a virtual IP address from a VM, querying a port, creating a port, querying a VPC, querying a subnet, and querying security groups or details about a security group.

For details about how to configure cross-domain VPC access, see Configuring the Network.

DNS Resolution

DNS ReadOnlyAccess

dns:recordset:get (Query a record set)

dns:zone:get (Query a tenant zone)

dns:recordset:list (Query record set list)

dns:zone:list (Query the zone list)

DNS ReadOnlyAccess: user with the permissions only to view DNS resources. To call a DNS API to resolve private domain names, specify an agency with the permissions to read DNS resources.

Fine-grained minimum permission for DNS: permission for querying record sets or querying tenant zone list in DNS.

For details about how to call the DNS API to resolve private domain names, see How Does FunctionGraph Resolve a Private DNS Domain Name?

Configuring asynchronous notification

If the target service is OBS:

OBS Administrator

obs:bucket:HeadBucket (Obtain bucket metadata)

obs:bucket:CreateBucket (Create a bucket)

obs:object:PutObject (Upload objects using PUT method, upload objects using POST method, copy objects, append an object, initialize a multipart task, upload parts, and merge parts)

OBS Administrator: administrator who has all permissions for OBS.

Fine-grained minimum permission for OBS: permissions for obtaining bucket metadata, creating a bucket, uploading objects using POST method, copying objects, appending an object, initializing a multipart task, uploading parts, and merging parts.

For details about how to configure asynchronous notification, see Configuring Asynchronous Execution Notification.

If the target service is SMN:

SMN Administrator

smn:topic:publish (Publish a message)

smn:topic:list (Query the topic list)

SMN Administrator: administrator who has all permissions for SMN.

Fine-grained minimum permission for using SMN: permissions for publishing a message and querying the topic list.

For details about how to configure asynchronous notification, see Configuring Asynchronous Execution Notification.

If the target service is DIS:

DIS Administrator

Unavailable

DIS Administrator: administrator who has all permissions for DIS.

For details about how to configure asynchronous notification, see Configuring Asynchronous Execution Notification.

Creating an Agency

NOTE:

In the following example, the VPC Administrator permission is assigned to FunctionGraph and this setting takes effect only in the authorized regions.

Create an agency by referring to Creating an Agency and set parameters as follows:

  1. Log in to the IAM console.
  2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency in the upper right corner.
    Figure 1 Creating an agency
  3. Configure the agency.
    Figure 2 Setting basic information
    • For Agency Name, enter serverless-trust.
    • For Agency Type, select Cloud service.
    • For Cloud Service, select FunctionGraph.
    • For Validity Period, select Unlimited.
    • Description: Enter the description.
  1. Click Next. On the displayed page, search for the permissions to be added in the search box on the right and select the permissions. The VPC Administrator permission is used as an example.
    Figure 3 Selecting policies
    Table 2 Example of agency permissions

    Policy Name

    Scenario

    VPC Administrator

    VPC administrator

  2. Click Next and select the scope, for example, Region-specific project.
    Figure 4 Selecting the required permissions
NOTE:

If the default policies do not meet your requirements, you can create custom policies in the visual editor or JSON view, and attach custom policies to user groups for refined access control. For details, see Creating Custom Policies.

Configuring an Agency

  1. In the left navigation pane of the management console, choose Compute > FunctionGraph. On the FunctionGraph console, choose Functions > Function List from the navigation pane.
  2. Click the function to be configured to go to the function details page.
  3. Choose Configuration > Permissions, click Create Agency, and set an agency based on site requirements by referring to 25.
    Table 3 Agency configuration parameters

    Parameter

    Description

    Configuration Agency

    Select a function that you have created.

    Execution Agency

    Mandatory if you select Specify an exclusive agency for function execution.

    NOTE:
    • To ensure optimal performance, select Specify an exclusive agency for function execution and set different agencies for function configuration and execution. You can also use no agency or specify the same agency for both purposes. Figure 5 shows the agency options.
      Figure 5 Setting agencies
    • Configuration Agency: For example, to create Data Ingestion Service (DIS) triggers, first specify an agency with DIS permissions. If such an agency is not specified or the specified agency does not exist, no DIS triggers can be created.
    • Execution Agency: This type of agency enables you to obtain a token and AK/SK from the context in the function handler for accessing other cloud services.
  1. Click Save.

Modifying an Agency

Modifying an agency: You can modify the permissions, validity period, and description of an agency on the IAM console.

CAUTION:
  • After an agency is modified, it takes about 10 minutes for the modification (for example, context.getToken) to take effect.
  • The agency information obtained using the context method is valid for 24 hours. Refresh it before it expires.

Usamos cookies para aprimorar nosso site e sua experiência. Ao continuar a navegar em nosso site, você aceita nossa política de cookies. Saiba mais

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback