All Products
Search
Document Center

Simple Log Service:Overview

Last Updated:Oct 26, 2023

This topic describes how to access Log Service resources of an Alibaba Cloud account as a Resource Access Management (RAM) user. You can access these resources only after you grant the RAM user the required permissions by using RAM.

Background information

You can create projects, Logstores, Logtail configurations, and machine groups in Log Service. By default, you have full permissions on these resources. You can use the resources by calling the related API operations.

However, if you use your Alibaba Cloud account to create a RAM user, the RAM user has no permission to use your resources. To allow the RAM user to use your resources, you must grant the required permissions to the RAM user.

Note For more information about how to grant a RAM user the permissions to access Log Service resources, see Create a RAM role whose trusted entity is an Alibaba Cloud account and authorize the RAM role to access Simple Log Service and RAM overview.

If you do not need to grant other users the permissions to access Log Service resources of your Alibaba Cloud account, you can skip this section. If you skip this section, your understanding of other sections is unaffected.

RAM policies

You can attach the following policies to a RAM user. Then, the RAM user has the corresponding permissions on your Log Service resources.
  • AliyunLogFullAccess
    If you attach this policy to a RAM user, the RAM user has full permissions to access Log Service resources of your Alibaba Cloud account. The following example shows the policy:
      {
        "Version": "1",
        "Statement": [
          {
            "Action": "log:*",
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
  • AliyunLogReadOnlyAccess
    If you attach this policy to a RAM user, the RAM user has the read-only permissions to access Log Service resources of your Alibaba Cloud account. The following example shows the policy:
     {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "log:Get*",
              "log:List*"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
  • Upload data to a specified Logstore

    If you attach this policy to a RAM user, the RAM user has the permissions to upload data to a specified Logstore by using the API operations and SDKs. The following example shows the policy:

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "log:Post*",
              "log:BatchPost*"
            ],
            "Resource": ["acs:log:*:*:project/<The name of the specified project>/logstore/<The name of the specified Logstore>"],
            "Effect": "Allow"
          }
        ]
      }
  • Query data of a specified Logstore in the console
    If you attach this policy to a RAM user, the RAM user has the read-only permissions to query the data of a specified Logstore in the console. The permissions allow the RAM user to query logs, pull logs, and view the Logstore list. The following example shows the policy:
      {
        "Version": "1",
        "Statement": [
          {
            "Action": ["log:List*"],
            "Resource": ["acs:log:*:*:project/<The name of the specified project>/*"],
            "Effect": "Allow"
          },
          {
            "Action": ["log:Get*"],
            "Resource": ["acs:log:*:*:project/<The name of the specified project>/logstore/<The name of the specified Logstore>"],
            "Effect": "Allow"
          }
        ]
      }

References