When a RAM user uses OpenAPI Explorer to access Log Service resources, Log Service sends a request to RAM to verify that the user has the required permissions to access these resources. This topic describes the authentication rules that are applied when a RAM user uses Log Service API operations to access the resources of an Alibaba Cloud account.
Logstore
Each Log Service API operation determines the permissions to check based on different resources and the API syntax. The following table describes the authentication rules for each API operation.
| Action |
Resource |
| log:GetLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:ListLogStores |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/* |
| log:CreateLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/* |
| log:DeleteLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:UpdateLogStore |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
loghub
The following table describes the authentication rules for API operations relevant to data writing and consumption. The GetCursor and GetLogs API operations are included in the action named GetCursorOrData.
| Action |
Resource |
| log:GetCursorOrData |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:ListShards |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
| log:PostLogStoreLogs |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName} |
config
| Action |
Resource |
| log:CreateConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/* |
| log:UpdateConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:DeleteConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:GetConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:ListConfig |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/* |
machinegroup
| Actions |
Resources |
| log:CreateMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/* |
| log:UpdateMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:DeleteMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:GetMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:ListMachineGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/* |
| log:ListMachines |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
API operations relevant to the interaction between Logtail configuration files and machine groups
| Actions |
Resources |
| log:ApplyConfigToGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:RemoveConfigFromGroup |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |
| log:GetAppliedMachineGroups |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} |
| log:GetAppliedConfigs |
acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName} |