All Products
Search

This Product

    Simple Log Service:Manage the AliyunServiceRoleForSLSAlert service-linked role

    Document Center

    Simple Log Service:Manage the AliyunServiceRoleForSLSAlert service-linked role

    Last Updated:Oct 26, 2023

    Before you access the resources of other cloud services, you must grant the required permissions to Simple Log Service by using the AliyunServiceRoleForSLSAlert service-linked role. This topic describes the scenarios and policy of the AliyunServiceRoleForSLSAlert service-linked role.

    Scenarios

    You can use the AliyunServiceRoleForSLSAlert service-linked role in the following scenarios:

    • View alert details and manage alerts based on alert notifications without the need to log on to the Simple Log Service console.

      For example, after you receive an alert notification from a DingTalk chatbot, you can click the link in the notification to view the alert details and manage alerts. You do not need to log on to the Simple Log Service console by using your PC.

    • Integrate the alerting feature with other cloud services.

      For example, when you create an action group, you can select a cloud service such as Function Compute or EventBridge as a notification method.

    To collect the required information, Simple Log Service must assume the AliyunServiceRoleForSLSAlert service-linked role to obtain the required permissions to read and modify the resources of the cloud services. For more information, see Service-linked roles.

    Description

    • Role name: AliyunServiceRoleForSLSAlert

    • Policy attached to the role: AliyunServiceRolePolicyForSLSAlert

    • Policy document:

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:GetJob",
                "log:UpdateJob",
                "log:GetResource",
                "log:ListResources",
                "log:GetResourceRecord",
                "log:ListResourceRecords",
                "log:UpdateResourceRecords"
            ],
            "Resource": [
                "acs:log:*:*:project/*"
            ],
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:GetLogStoreLogs"
            ],
            "Resource": "acs:log:*:*:project/sls-alert-*"
        },
        {
            "Action": [
                "eventbridge:PutEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "fc:InvokeFunction"
            ],
            "Resource": "acs:fc:*:*:services/*/functions/sls-ops-*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "alert.log.aliyuncs.com"
                }
            }
        }
    ]
}