This topic describes how to authorize a RAM user to manage MNS logs.

Step 1: Create permission policies

You need to create the following four permission policies for the RAM user: RamListRolesPolicy, MNSAccessAccountAttr, LogServiceListPolicy, and OSSListBuckets. For more information about permission policies, see Table 1.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. Enter a policy name and description.
  5. Select Script for the Configuration Mode and enter the policy script in the Policy Document section.
Note
Table 1. Permission policies
Policy name Description Policy script
RamListRolesPolicy Permission to access a list of RAM roles
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:ListRoles",
"Resource": "acs:ram:*:*:*"
}
]
}
MNSAccessAccountAttr Permissions to view and configure Alibaba Cloud account information after accessing MNS
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action":
[
  "mns:SetAccountAttributes",
  "mns:GetAccountAttributes"
],
"Resource": "acs:mns:*:*:*"
}
]
}
LogServiceListPolicy Permissions to access a list of Log Service projects and Logstores
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "log:List*",
"Resource": "acs:log:*:*:*"
}
]
}
OSSListBuckets Permission to access a list of OSS buckets
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": "acs:oss:*:*:*"
}
]
}

Step 2: Authorize a RAM user

After creating the permission policies, you need to attach the policies to a RAM user.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, select the target RAM user and click Add Permissions.
  4. On the Add Permissions page, go to the Select Policy section. Select the four policies that you have created in Step 1: Create permission policies and click OK.