search

awesome-fc / fc-wordpress

deploy a wordpress on FC
63 stars 8 forks source link

serverless tutorial question #10

Open yurenji opened 4 years ago

yurenji commented 4 years ago

image

按照教程体验函数计算,关于NAS配置这一部分有一些疑惑。

"VpcConfig中的VpcId、VSwitchId和SecurityGroupId信息请到ECS控制台的实例详情页查看"

这里是填写免费ECS的信息,还是NAS的信息? NAS也有 VpcId、VSwitchId, 没找到 SecurityGroupId

yurenji commented 4 years ago

填写了ECS信息之后,有报错: 

[root@iZuf66m5ykb29lu77wywcjZ fc-web-mysql]# fun nas init
using template: template.yml
start fun nas init...
checking if _FUN_NAS_fc-wp-mysql needs to be deployed...
Waiting for service _FUN_NAS_fc-wp-mysql to be deployed...
    make sure role 'aliyunfcgeneratedrole-cn-shanghai-fc-wp-mysql' is exist

You can run the following commands to grant permission 'ram:GetRole' on 'acs:ram:*:1590071854402476:role/*'
Via the link:  https://shell.aliyun.com/ or aliyun cli
(Note: aliyun cli tool needs to be configured with credentials that have related RAM permissions, such as primary account's AK)

1. Create Policy
aliyun ram CreatePolicy --PolicyName fun-generated-ram-GetRole-qk4ds13j --PolicyDocument "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"ram:GetRole\"],\"Resource\":[\"acs:ram:*:1590071854402476:role/*\"]}]}"

2. Attach Policy To User
aliyun ram AttachPolicyToUser --PolicyName fun-generated-ram-GetRole-qk4ds13j --PolicyType "Custom" --UserName "YOUR_USER_NAME"

You are not authorized to do this action. Resource: acs:ram:*:1590071854402476:role/* Action: ram:GetRole, URL: https://ram.aliyuncs.com/?AccessKeyId=LTAI4GAMbc1CXo7CGQPLxArh&Action=GetRole&Format=JSON&RoleName=aliyunfcgeneratedrole-cn-shanghai-fc-wp-mysql&SignatureMethod=HMAC-SHA1&SignatureNonce=e3771e8509019ae6859ddf56d53e3412&SignatureVersion=1.0&Timestamp=2020-06-07T10%3A29%3A39Z&Version=2015-05-01&Signature=%2BbPiJINnjHHDJmSis5rSvCvl4iA%3D
yurenji commented 4 years ago

template.yml

ROSTemplateFormatVersion: '2015-09-01'
Transform: 'Aliyun::Serverless-2018-04-03'
Resources:
  fc-wp-mysql:
    Type: 'Aliyun::Serverless::Service'
    Properties:
      Description: 'run wordpress on FC'
      Policies:
        - AliyunECSNetworkInterfaceManagementAccess
      VpcConfig:
        VpcId: 'vpc-uf6104xvn8nlghx7kz566'
        VSwitchIds: [ 'vsw-uf6ir3jxr06plc747uba3' ]
        SecurityGroupId: 'sg-uf6fgw5y2rya9qqf81kf'
      NasConfig:
        UserId: 10003
        GroupId: 10003
        MountPoints:
          - ServerAddr: '351204aad6-hyg75.cn-shanghai.nas.aliyuncs.com:/'
            MountDir: '/mnt/auto'
      LogConfig:
        Project: yurenji-demo
        Logstore: mysql-log
    wp-func:
      Type: 'Aliyun::Serverless::Function'
      Properties:
        Handler: index.handler
        Runtime: php7.2
        CodeUri: './'
        Timeout: 300
        MemorySize: 256
        EnvironmentVariables:
          PHP_INI_SCAN_DIR: '/code/extension'
      Events:
        httpTrigger:
          Type: HTTP
          Properties:
            AuthType: ANONYMOUS
            Methods: ['POST', 'GET', 'HEAD', 'PUT', 'DELETE']

  yurenji-demo:
    Type: 'Aliyun::Serverless::Log'
    Properties:
      Description: 'fc web log project'
    mysql-log:
      Type: 'Aliyun::Serverless::Log::Logstore'
      Properties:
        TTL: 10
        TTL: 10
        ShardCount: 1
  fc-wordpress-domain:
    Type: 'Aliyun::Serverless::CustomDomain'
    Properties:
      DomainName: Auto
      Protocol: HTTP
      RouteConfig:
        Routes:
          '/*':
            ServiceName: fc-wp-mysql
            FunctionName: wp-func
rsonghuster commented 3 years ago

您这个是子账号吧, 子账号权限:

FC 控制台子账号权限应该怎么配?

这里给一个比较完善的标准模板

至于触发器相关的, 可以直接配置对应的云服务的 all read 权限或者 full 权限, 比如对于 oss 触发器, 可以直接添加 AliyunOSSReadOnlyAccess 或者 AliyunOSSFullAccess, 当然您可以定义的更具体和细致, 比如具体到某个 bucket

Fun 开发

因为 Fun 工具为了简化一些用户的操作配置, 比如自动创建符合 yml 定义的 service 的 Role

最简单的做法, 在上面的基础上直接加上 RAM 的 full 权限

Serverlss 应用开发之子账号最佳实践以及 Q&A (函数计算篇)