You can authorize RAM users to access and use ActionTrail. For example, RAM users that are granted the required permissions can query historical events and manage trails and event alerts.
Prerequisites
- A RAM user is created within your Alibaba Cloud account. For more information, see Create a RAM user.
- The service-linked role AliyunServiceRoleForActionTrail is created for ActionTrail. For more information, see Create the AliyunServiceRoleForActionTrail role.
Procedure
- Log on to the RAM console.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, set the Authorized Scope parameter to Alibaba Cloud Account and select one or more policies.
- System Policy: the system policies. To specify system policies, select the required policies in
the Authorization Policy Name column.
Policy Description AliyunActionTrailReadOnlyAccess Provides read-only permissions on ActionTrail. AliyunActionTrailFullAccess Provides full permissions on ActionTrail. AliyunOSSReadOnlyAccess Provides read-only permissions on Object Storage Service (OSS). AliyunLogReadOnlyAccess Provides read-only permissions on Log Service. - Custom Policy: the custom policies. Before you can use custom policies, you must create them. To
specify custom policies, select the required policies in the Authorization Policy Name column.
For more information about how to create a custom policy, see Create a custom policy.
- Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to
view OSS buckets and Log Service projects. This way, the RAM user can be used to manage
trails.
The following sample code shows the custom policy:
{ "Version": "1", "Statement": [ { "Action": [ "actiontrail:*", "oss:GetService", "log:ListProject" ], "Resource": "*", "Effect": "Allow" } ] }The following table describes the permissions included in the custom policy.
Permission Description oss:GetService Allows a RAM user to view OSS buckets. log:ListProject Allows a RAM user to view Log Service projects. actiontrail:* Provides full access to ActionTrail. - Example 2: Grant a RAM user the permissions to manage trails in ActionTrail and the
permissions to manage Logstores, indexes, dashboards, charts, and projects in Log
Service. This way, the RAM user can be used to manage event alerts.
The following sample code shows the custom policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "actiontrail:DescribeTrails", "actiontrail:SetDefaultTrail", "actiontrail:GetDefaultTrail", "actiontrail:CreateTrail" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex" ], "Resource": [ "acs:log:*:*:project/Project name/logstore/internal-alert-history", "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log" ] }, { "Effect": "Allow", "Action": [ "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard" ], "Resource": "acs:log:*:*:project/Project name/dashboard/*" }, { "Effect": "Allow", "Action": [ "log:*" ], "Resource": "acs:log:*:*:project/Project name/job/*" }, { "Effect": "Allow", "Action": [ "log:CreateProject" ], "Resource": [ "acs:log:*:*:project/sls-alert-*" ] } ] }The following table describes the permissions included in the custom policy.
Permission Description actiontrail:DescribeTrails Allows a RAM user to query trails. actiontrail:SetDefaultTrail Allows a RAM user to set the default trail for event alerting. actiontrail:GetDefaultTrail Allows a RAM user to query the default trail for event alerting. actiontrail:CreateTrail Allows a RAM user to create a trail. log:CreateLogstore Allows a RAM user to create a Log Service Logstore. log:CreateIndex Allows a RAM user to create an index. log:UpdateIndex Allows a RAM user to update an index. log:CreateDashboard Allows a RAM user to create a dashboard. log:CreateChart Allows a RAM user to create a chart. log:UpdateDashboard Allows a RAM user to update a dashboard. log:CreateProject Allows a RAM user to create a Log Service project.
- Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to
view OSS buckets and Log Service projects. This way, the RAM user can be used to manage
trails.
- System Policy: the system policies. To specify system policies, select the required policies in
the Authorization Policy Name column.
- Click OK.
- Click Complete.