Cloud Function Security Rules
Overview
Cloud Function Security Rules is a permission management system based on user identity, which controls function invocation permissions according to the identity of the currently logged-in user. By configuring security rules, you can precisely control which users can invoke specific cloud functions, thereby ensuring application security.
Applicable Scope
Cloud Function Security Rules apply to the following invocation scenarios:
- The
callFunctionoperation in the Client SDK - End-user invocations such as Mini Programs and Web Applications
Non-applicable Scenarios:
- Administrative API invocation
- HTTP trigger invocation
- Scheduled trigger invocation
- Database trigger invocation
Configuration Method
1. Go to console configuration
- Log in to Tencent Cloud Development Console/Cloud Functions
- Select the corresponding environment
- Go to the "Security Rules" page
- Select the "Cloud Function" tab
2. Write security rules
Function Security Rules are configured at the environment level, where all functions within the environment share a single configuration file. The configuration uses JSON format and has the following hierarchical structure:
Configuration Hierarchy Description:
- top-level key: represents the function name; special
*represents a wildcard rule for all functions. - operation key: represents the operation type; currently only
invoke(call) is supported. - rule value: can be a Boolean value or a security rule expression string.
Matching Priority:
- Priority is given to matching specific function name configurations
- If no specific function name is matched, the
*wildcard configuration is used.
Configuration Example
Basic Configuration
{
"*": {
"invoke": "auth != null"
}
}
Composite Configuration Example
{
"*": {
"invoke": "auth != null"
},
"function1": {
"invoke": false
}
}
Configuration Requirements:
- The top-level configuration of security rules must include a configuration with key
*. - The configuration under each function must include the
invokeconfiguration.
Supported Rule Types
Currently, Cloud Function Security Rules support the following three configurations:
| Rule Value | Description | Applicable Scenarios |
|---|---|---|
true | Allow all users to invoke | Public interfaces, such as obtaining announcement information |
false | Prohibit all users from invoking | Deprecated or internal functions |
"auth != null" | Only logged-in users can invoke | Business functions requiring user authentication |
Configuration Requirements
- The top-level configuration of security rules must include a wildcard configuration with key
*. - Each function configuration must include the
invokeoperation configuration. - By default, all functions require users to log in before they can be invoked.
Frequently Asked Questions
Q: How to test if security rules are in effect?
A: You can test by invoking functions through the client SDK:
- When invoking a function that requires login while unauthenticated, a permission error should be returned.
- After logging in, invoking the same function should execute normally.
Q: Can different permissions be set for different users?
A: The current version only supports simple permission control based on login status. For more complex permission control, it is recommended to perform user identity and authorization verification within the function.