The page has been translated by Gen AI.
리소스 기반 정책 가이드
Overview of Resource-Based Policies
A resource-based policy for Cloud Functions is a policy attached to a resource that can allow or deny (Effect) specific actions (Action) for a given principal (Principal). You can directly define the principal that can execute (Invoke) a function using resource-based policies.
참고
While a typical IAM policy (Identity-based) grants permissions to a user, a resource-based policy is applied to the function itself to allow external access.
You can allow function calls by defining the following in a resource-based policy.
- User of the specified Samsung Cloud Platform account
- Specified source IP address range or CIDR block
Source policies are defined as JSON policy documents attached to an API, which control whether a specified security principal (typically an IAM role or group) can call the API.
| Category | Explanation | Example |
|---|---|---|
| Principal | Specify the function caller | specific object storage bucket, API Gateway, other Samsung Cloud Platform accounts, etc. |
| Task (Action) | Define the allowed functionality | Mostly scf:InvokeFunction |
| Condition (Condition) | Restrict to allow only in specific situations | Allow only requests from a bucket with a specific SRN. |
표. API 호출 여부를 제어하는 Entity
참고
- Cloud Functions’ resource-based policies leverage the rules of IAM’s resource-based policies.
- Refer to the JSON Mode Usage Guide for how to create or modify policies using JSON.
Resource-based policy usage scenario
The primary use cases for resource-based policies are as follows.
Resource-based policy scenario
The resource-based policy scenarios used when a Cloud Functions function runs are as follows.
| Category | Explanation | Reference example |
|---|---|---|
| Function URL - Authentication Type None | It is required when generating a URL for a function and invoking it.
| Function URL (Auth Type None) Example |
| Function URL - Authentication Type IAM |
| Function URL (Authentication Type IAM) Example |
| API Gateway trigger | It is required when API Gateway calls Lambda to handle external API requests.
| API Gateway Trigger Example |
| PrivateLink connection | You can define a PrivateLink Service connection to allow private access to a function from another VPC.
| PrivateLink connection example |
표. 리소스 기반 정책 시나리오
Additional user usage scenarios
Although it is not automatically registered as a resource‑based policy for Cloud Functions, users can add and use it as needed. The scenarios that users can add and utilize are as follows.
- Cross-Account Access
- When an IAM user in account A wants to invoke a Lambda function in account B, add account A to the function policy of account B.
- Hybrid Access Control
- You can configure it so that access is allowed only when both conditions are met—a specific user and a specific IP range—rather than restricting just the account or IP alone.
Resource-based policy management for Cloud Functions
To view and configure resource-based policies for Cloud Functions, follow these steps.
- Click the All Services > Compute > Cloud Functions menu. 1. Navigate to the Service Home page of Cloud Functions.
- On the Service Home page, click the Function menu. 2. Navigate to the Function list page.
- On the Function List page, click the resource for which you want to set a policy. 3. Go to the Function Details page.
- Click the Configuration tab on the Function Details page.
- Click the Edit button for the Resource-based policy permissions item. 5. Resource Policy edit popup window opens.
- In the Resource Policy edit popup, select a Policy Template and then write the policy.
- For policy examples by template, refer to the Resource-based policy example.
- When you have finished writing, click the Confirm button.
- When you click the Delete button, the registered policy is deleted.
Resource-based policy example
Users can define additional resource-based policies as needed or modify existing policies for use.
참고
- For some features, a resource‑based policy (or credential) must be registered to use them in Cloud Functions.
- In the resource-based policy example described in this guide, Cloud Functions automatically registers the example resource-based policy when each feature is enabled or linked.
Function URL - Authentication Type None
A policy that permits public calls when the Principal is /*.
Policy Template
Color mode
"Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
}Policy example
Color mode
"Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow",
"Principal": "*"
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
}Function URL - Authentication Type IAM
This is a policy that permits specific users to invoke the public URL.
Policy Template
Color mode
"Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}Policy example
Color mode
"Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": "*"
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "accountID-iam-invokefunctionurl"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": "*"
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "accountID-iam-invokefunctionurl"
}
],
"Version": "2024-07-01"
}API Gateway trigger
A policy that allows public calls with Principal set to *.
Policy Template
Color mode
"Statement": [
"Action": ["scf:InvokeFunction"],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": ["{{ApiGatewayMethodSrn}}"]
}
},
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.samsungsdscloud.com"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": ["scf:InvokeFunction"],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": ["{{ApiGatewayMethodSrn}}"]
}
},
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.samsungsdscloud.com"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}Policy example
Color mode
{
"Statement": [
"Action": [
scf:InvokeFunction
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": [
srn:e::accountID:kr-west1::apigateway:method/MethodID/*/GET/test
]
}
},
"Effect": "Allow"
"Principal": {
"Service": [
apigateway.samsungsdscloud.com
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "999e9a9999de4d4683c9e10c74ee999z"
}
],
"Version": "2024-07-01"
}{
"Statement": [
"Action": [
scf:InvokeFunction
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": [
srn:e::accountID:kr-west1::apigateway:method/MethodID/*/GET/test
]
}
},
"Effect": "Allow"
"Principal": {
"Service": [
apigateway.samsungsdscloud.com
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "999e9a9999de4d4683c9e10c74ee999z"
}
],
"Version": "2024-07-01"
}PrivateLink connection
This is a policy that permits function calls via a Privatelink Endpoint for specific users.
Policy Template
Color mode
"Statement": [
"Action": ["scf:InvokeFunction"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionPrivatelinkServiceAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow",
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": ["scf:InvokeFunction"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionPrivatelinkServiceAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow",
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}Policy example
Color mode
"Statement": [
"Action": [
scf:InvokeFunction
],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": [
SCP_IAM
]
}
},
"Effect": "Allow"
"Principal": {
"scp": [
srn:e::accountID:::iam:user/userID
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr-privatelink-invokefunction"
}
],
"Version": "2024-07-01"
} "Statement": [
"Action": [
scf:InvokeFunction
],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": [
SCP_IAM
]
}
},
"Effect": "Allow"
"Principal": {
"scp": [
srn:e::accountID:::iam:user/userID
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr-privatelink-invokefunction"
}
],
"Version": "2024-07-01"
}