The page has been translated by Gen AI.
Resource-based Policy Guide
Resource-based policy overview
The resource-based policy (Resource-based Policy) of Cloud Functions is a policy granted to a resource that can decide to allow or deny (Effect) an action (Action) on a specific resource for a principal (Principal). You can directly define the principal that can invoke a function by using resource-based policies.
Reference
While a typical IAM policy (Identity-based) grants permissions to a user, a resource-based policy is applied to the function itself to allow external access.
You can allow function calls by defining the following in a resource-based policy.
- User of the specified Samsung Cloud Platform account
- Specified source IP address range or CIDR block
A source policy is defined as a JSON policy document attached to the API, which controls whether the specified security principal (typically an IAM role or group) can call the API.
| Category | description | example |
|---|---|---|
| Principal | Specify the caller of the function | Specific object storage bucket, API Gateway, other Samsung Cloud Platform accounts, etc. |
| Task(Action) | Define the allowed functions | Mostly scf:InvokeFunction |
| Condition(Condition) | Restrict to allow only in specific situations | Allow only requests originating from a bucket with a specific SRN. |
Table. Entity that controls API call execution
Reference
- Cloud Functions’ resource-based policies leverage the rules of IAM’s resource-based policies.
- For instructions on creating or modifying policies using JSON, refer to the JSON Mode Utilization Guide.
Resource-based policy usage scenario
The primary use cases for resource-based policies are as follows.
Resource-based policy scenario
The resource-based policy scenarios used when a Cloud Functions function runs are as follows.
| Category | description | Reference example |
|---|---|---|
| Function URL - Authentication Type None | It is required when generating a function URL for invocation.
| Function URL (Auth Type None) Example |
| Function URL - Authentication Type IAM |
| Function URL (authentication type IAM) example |
| API Gateway trigger | It is required when API Gateway calls Lambda to handle external API requests.
| API Gateway Trigger Example |
| PrivateLink connection | You can connect a PrivateLink Service to define the function for private access from another VPC.
| PrivateLink connection example |
Table. Resource-based policy scenario
User addition usage scenario
Although it is not automatically registered as a resource-based policy for Cloud Functions, users can add and use it as needed. The scenarios that users can add and utilize are as follows.
- Cross-Account Access
- If an IAM user in account A wants to invoke a Lambda in account B, register account A in the function policy of account B.
- Hybrid Access Control
- It can be configured so that access is allowed only when both conditions are met—a specific user and a specific IP range—rather than merely restricting by account or IP alone.
Resource-based policy management for Cloud Functions
To view and configure resource-based policies for Cloud Functions, follow these steps.
- Click the All Services > Compute > Cloud Functions menu. Navigate to the Service Home page of Cloud Functions.
- On the Service Home page, click the Function menu. You will be taken to the Function list page.
- On the Function List page, click the resource for which you want to set a policy. You will be taken to the Function Details page.
- Click the Configuration tab on the Function Details page.
- Click the Edit button of the Resource-based policy permission item. The Resource policy edit popup window opens.
- In the Resource Policy edit popup, after selecting the Policy Template, write the policy.
- For policy examples by policy template, refer to Resource-based policy examples.
- When the writing is complete, click the Confirm button.
- Click the Delete button to delete the registered policy.
Example of resource-based policy
Users can define additional resource-based policies as needed or modify existing policies for use.
Reference
- For some features, a resource‑based policy (or credential) must be registered to use them in Cloud Functions.
- In the resource-based policy examples described in this guide, Cloud Functions automatically registers the example resource-based policies when each feature is enabled or linked.
Function URL - Authentication Type None
Principal is /* a policy that allows public calls.
Policy Template
Color mode
{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow"
"Principal": "*"
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow"
"Principal": "*"
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
}Policy example
Color mode
{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow"
"Principal": "*"
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["NONE"]
}
},
"Effect": "Allow"
"Principal": "*"
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "InvokeFunctionURLAllowPublicAccess"
}
],
"Version": "2024-07-01"
}Function URL - Authentication Type IAM
This policy permits a specific user to invoke a public URL.
Policy Template
Color mode
{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}Policy Example
Color mode
{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": "*",
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "accountID-iam-invokefunctionurl"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": ["scf:InvokeFunctionUrl"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": "*",
"Resource": ["srn:e::accountID:kr-west1::scf:cloud-function/functionsID"],
"Sid": "accountID-iam-invokefunctionurl"
}
],
"Version": "2024-07-01"
}API Gateway trigger
Principal is a policy that permits public calls with a * principal.
Policy Template
Color mode
{
"Statement": [
{
"Action": ["scf:InvokeFunction"],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": ["{{ApiGatewayMethodSrn}}"]
}
},
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.samsungsdscloud.com"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": ["scf:InvokeFunction"],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": ["{{ApiGatewayMethodSrn}}"]
}
},
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.samsungsdscloud.com"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}Policy Example
Color mode
{
"Statement": [
{
"Action": [
scf:InvokeFunction
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": [
srn:e::accountID:kr-west1::apigateway:method/MethodID/*/GET/test
]
}
},
"Effect": "Allow"
"Principal": {
"Service": [
"apigateway.samsungsdscloud.com"
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "999e9a9999de4d4683c9e10c74ee999z"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
scf:InvokeFunction
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['x-scf-request-obj-srn']": [
srn:e::accountID:kr-west1::apigateway:method/MethodID/*/GET/test
]
}
},
"Effect": "Allow"
"Principal": {
"Service": [
"apigateway.samsungsdscloud.com"
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "999e9a9999de4d4683c9e10c74ee999z"
}
],
"Version": "2024-07-01"
}PrivateLink connection
This is a policy that allows function calls through a Privatelink Endpoint for specific users.
Policy Template
Color mode
{
"Statement": [
{
"Action": ["scf:InvokeFunction"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionPrivatelinkServiceAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": ["scf:InvokeFunction"],
"Condition": {
"StringEquals": {
"scf:CloudFunctionPrivatelinkServiceAuthType": ["SCP_IAM"]
}
},
"Effect": "Allow"
"Principal": {
"scp": ["srn:{{Environment}}::{{AccountID}}:::iam:user/{{UserId}}"]
},
"Resource": ["{{CloudFunctionSrn}}"],
"Sid": "Statement1"
}
],
"Version": "2024-07-01"
}Policy Example
Color mode
{
"Statement": [
{
"Action": [
scf:InvokeFunction
],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": [
SCP_IAM
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountID:::iam:user/userID
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr-privatelink-invokefunction"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
scf:InvokeFunction
],
"Condition": {
"StringEquals": {
"scf:CloudFunctionAuthType": [
SCP_IAM
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
srn:e::accountID:::iam:user/userID
]
},
"Resource": [
srn:e::accountID:kr-west1::scf:cloud-function/functionID
],
"Sid": "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr-privatelink-invokefunction"
}
],
"Version": "2024-07-01"
}