edit-icon download-icon

Overview

Last Updated: Apr 12, 2018

Access Log Service resources of your primary account as a RAM user after RAM authorization

The projects, Logstores, configurations, and machine groups you create are your own resources. By default, you have the full operation permissions to your resources, and can use all APIs described in this document to perform operations on your resources.

However, in scenarios where a primary account has a Resource Access Management (RAM) user, the RAM user cannot perform operations on resources of the primary account after being created. You must grant permissions to the RAM user to perform operations on resources of the primary account by using RAM authorization.

Note: Before using RAM to grant a RAM user the permissions to access Log Service resources of a primary account, make sure that you have carefully read Create a RAM user and RAM introduction.

Three authorization policies for Log Service are available in the RAM console.

  • AliyunLogFullAccess

    This policy is used to grant a RAM user the full access permission to Log Service resources of a primary account. The authorization policy is described as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": "log:*",
    6. "Resource": "*",
    7. "Effect": "Allow"
    8. }
    9. ]
    10. }
  • AliyunLogReadOnlyAccess

    This policy is used to grant a RAM user the read-only permission to Log Service resources of a primary account. The authorization policy is described as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": [
    6. "log:Get*",
    7. "log:List*"
    8. ],
    9. "Resource": "*",
    10. "Effect": "Allow"
    11. }
    12. ]
    13. }
  • Query data of a specific Logstore in the console

    This policy is used to grant a RAM user the read-only permission to the resources of a primary account’s specific Logstore. After the authorization, the RAM user can query logs, extract logs, and view Logstore list in the console. The authorization policy is described as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": ["log:ListProject", "log:ListLogStores"],
    6. "Resource": ["acs:log:*:*:project/<specific project name>/*"],
    7. "Effect": "Allow"
    8. },
    9. {
    10. "Action": ["log:Get*"],
    11. "Resource": ["acs:log:*:*:project/<specific project name>/logstore/<specific Logstore name>"],
    12. "Effect": "Allow"
    13. }
    14. ]
    15. }

To not grant a RAM user the permissions to access Log Service resources of a primary account, skip this section. Skipping this section does not affect your understanding and usage of Log Service.

For more information, see:

Thank you! We've received your feedback.