This topic describes how to authorize RAM users to use ActionTrail resources by using system policies or custom policies.

Before you begin

  1. An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click Create a new Alibaba Cloud account.
  2. View the ActionTrail API actions and their descriptions. For more information, see RAM account authentication.
  3. View the RAM policy structure and syntax. For more information, see RAM account authentication.

Procedure

  1. Create a RAM user.
  2. Grant permission to the RAM user.
    • You can grant required permissions to the RAM user by attaching one or more system policies according to the subsequent ActionTrail-related system policies.

      For more information, see Permission granting in RAM.

    • You can grant fine-grained permissions to the RAM user by creating custom policies according to the subsequent authorization examples.

      For more information, see Create a custom policy.

Authorization examples

  • Example 1: As a RAM administrator, grant a user read-only permission.
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "actiontrail:LookupEvents", 
                "actiontrail:Describe*", 
                "actiontrail:Get*"
            ],
            "Resource": "*"
        }]
    }
  • Example 2: As a RAM administrator, grant a user read-only permission when they log on from a specified IP address.
    {
        "Version": "1",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "actiontrail:LookupEvents", 
                "actiontrail:Describe*", 
                "actiontrail:Get*"
            ],
            "Resource": "*",
            "Condition":{
                "IpAddress": {
                    "acs:SourceIp": "42.120.XX.X/24"
                }
            }
        }]
    }