Authorize a RAM user to manage alert rules

Edit in GitHub

Last Updated: Aug 10, 2020 Edit in GitHub

This topic describes how to authorize a Resource Access Management (RAM) user to manage alert rules.

Background information

You can use your Alibaba Cloud account to authorize a RAM user to manage alert rules.

You can authorize a RAM user by attaching one of the following permission policies to the RAM user:

The AliyunLogFullAccess system policy. If you attach this policy to a RAM user, the RAM user has full permissions on Log Service resources. For more information, see Authorize a RAM user to connect to Log Service.
A custom policy. You must create a policy that specifies the permissions to create and modify alert rules, and then attach the policy to the RAM user. This topic describes how to authorize a RAM user by using a custom policy.

Procedure

Log on to the RAM console.

Create a policy.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.

Parameter Description

Name The name of the policy.

Configuration Mode The mode in which you want to specify the policy content. Select Script.

Parameter	Description
Name	The name of the policy.
Configuration Mode	The mode in which you want to specify the policy content. Select Script.
Policy Document	The content of the policy. Replace the content in the text box with the following script. Replace <Project name> in the script with the name of your Log Service project. `{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex" ], "Resource": "acs:log:::project/<Project name>/logstore/internal-alert-history" }, { "Effect": "Allow", "Action": [ "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard" ], "Resource": "acs:log:::project/<Project name>/dashboard/" }, { "Effect": "Allow", "Action": [ "log:" ], "Resource": "acs:log:::project/<Project name>/job/*" } ] }`

Policy Document

The content of the policy. Replace the content in the text box with the following script.

Replace <Project name> in the script with the name of your Log Service project.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateLogStore",
        "log:CreateIndex",
        "log:UpdateIndex"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/logstore/internal-alert-history"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateDashboard",
        "log:CreateChart",
        "log:UpdateDashboard"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/dashboard/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/job/*"
    }
  ]
}

Create a RAM user. For more information, see Create a RAM user.
If a RAM user is available, skip this step.
Authorize the RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. On the Users page, find the RAM user, and click Add Permissions in the Actions column.
3. In the Select Policy section, click Custom Policy, select the policy that you created in Step 2, and then click OK.
4. Click Complete.