Overview

Last Updated: Nov 07, 2017

Use RAM to access the primary account’s Log Service resources from a subaccount

The project, LogStore, config, and machinegroup you create are your own resources. By default, you have the full operation permissions on your resources, and can use all APIs described in this document to perform operations on your resources.

However, in scenarios where a primary account has a subaccount, you cannot use an unauthorized subaccount to perform operations on resources of the primary account. You need to grant the permission to the subaccount to perform operations on resources of the primary account through RAM authorization.

Note: Before learning how to use RAM to authorize a subaccount and access resources of a primary account, ensure that you have carefully read RAM product documentation and API documentation.

Three authorization policies for Log Service are available on RAM console:

  • AliyunLogFullAccess

    This policy is used to grant a subaccount the full permission to access Log Service resources of a primary account. The authorization policy is described as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": "log:*",
    6. "Resource": "*",
    7. "Effect": "Allow"
    8. }
    9. ]
    10. }
  • AliyunLogReadOnlyAccess

    This policy is used to grant a subaccount the read-only permission for Log Service resources of a primary account. The authorization policy is described as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": [
    6. "log:Get*",
    7. "log:List*"
    8. ],
    9. "Resource": "*",
    10. "Effect": "Allow"
    11. }
    12. ]
    13. }
  • Query data of a specified LogStore on the console

    This policy is used to grant a subaccount that logs into the console the read-only permission for the specified LogStore resources of a primary account (view and extract logs, and view the LogStore list). The authorization policy is described as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": ["log:ListProject", "log:ListLogStores"],
    6. "Resource": ["acs:log:*:*:project/<Name of the specified project>/*"],
    7. "Effect": "Allow"
    8. },
    9. {
    10. "Action": ["log:Get*"],
    11. "Resource": ["acs:log:*:*:project/<Name of the specified project>/logstore/<Name of the specified LogStore>"],
    12. "Effect": "Allow"
    13. }
    14. ]
    15. }

If you do not need to grant an account the permission to access Log Service resources in another account, you can skip this section. Skipping this section does not affect your understanding and use of the remaining parts in the file.

More information:

Thank you! We've received your feedback.