Before you manage Message Service (MNS) logs as a RAM user, you must authorize the RAM user. This article describes how to authorize a RAM user to manage MNS logs.

Step 1: Create custom policies

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, enter a policy name and note, and select Script as the configuration mode. In the Policy Document section, enter a script. Then, click OK.

    The following table lists the required policies.

    Policy name Description Policy script
    RamListRolesPolicy Permissions to access the list of RAM roles
    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":"ram:ListRoles",
                "Resource":"acs:ram:*:*:*"
            }
        ]
    }
    MNSAccessAccountAttr Permissions to view and configure Alibaba Cloud accounts
    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":[
                    "mns:SetAccountAttributes",
                    "mns:GetAccountAttributes"
                ],
                "Resource":"acs:mns:*:*:*"
            }
        ]
    }
    LogServiceListPolicy Permissions to access the list of Log Service projects and Logstores
    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":"log:List*",
                "Resource":"acs:log:*:*:*"
            }
        ]
    }
    OSSListBuckets Permissions to access the list of OSS buckets
    {
        "Version":"1",
        "Statement":[
            {
                "Effect":"Allow",
                "Action":"oss:ListBuckets",
                "Resource":"acs:oss:*:*:*"
            }
        ]
    }

Step 2: Authorize the RAM user

After you create the policies, you must attach the policies to the RAM user.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the user to which you want to grant permissions, and click Add Permissions in the Actions column.
  4. In the Add Permissions dialog box, select Custom Policy in the Select Policy section. Specify the four permission policies that you created in Step 1. Click OK.
  5. Click Complete.