When a RAM user uses OpenAPI Explorer to access Log Service resources, Log Service sends a request to RAM to verify that the user has the required permissions to access these resources. This topic describes the authentication rules that are applied when a RAM user uses Log Service API operations to access the resources of an Alibaba Cloud account.

Logstore

Each Log Service API operation determines the permissions to check based on different resources and the API syntax. The following table describes the authentication rules for each API operation.

Action Resource
log:GetLogStore acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName}
log:ListLogStores acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/*
log:CreateLogStore acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/*
log:DeleteLogStore acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName}
log:UpdateLogStore acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName}

loghub

The following table describes the authentication rules for API operations relevant to data writing and consumption. The GetCursor and GetLogs API operations are included in the action named GetCursorOrData.
Action Resource
log:GetCursorOrData acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName}
log:ListShards acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName}
log:PostLogStoreLogs acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logstore/${logstoreName}

config

Action Resource
log:CreateConfig acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/*
log:UpdateConfig acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName}
log:DeleteConfig acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName}
log:GetConfig acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName}
log:ListConfig acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/*

machinegroup

Actions Resources
log:CreateMachineGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/*
log:UpdateMachineGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}
log:DeleteMachineGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}
log:GetMachineGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}
log:ListMachineGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/*
log:ListMachines acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}

API operations relevant to the interaction between Logtail configuration files and machine groups

Actions Resources
log:ApplyConfigToGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}
log:RemoveConfigFromGroup acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName} acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}
log:GetAppliedMachineGroups acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/logtailconfig/${logtailConfigName}
log:GetAppliedConfigs acs:log:${regionName}:${projectOwnerAliUid}:project/${projectName}/machinegroup/${machineGroupName}