Before you use a RAM user to manage Message Service (MNS) logs, you grant the required permissions to the RAM user. This topic describes how to authorize a RAM user to manage MNS logs.
Step 1: Create custom policies
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose
On the Policies page, click Create Policy.
- On the Create Policy page, configure a policy on the Visual Editor Beta or JSON tab based on your business requirements. Then, click Next: Edit Basic Information. In the Basic Information section, enter a name and description for the policy, and click OK. Note For more information about how to create a custom policy, see Create custom policies.
The following table describes the required policies.
Policy Permission Policy script RamListRolesPolicy Permissions to access the list of RAM roles { "Version":"1", "Statement":[ { "Effect":"Allow", "Action":"ram:ListRoles", "Resource":"acs:ram:*:*:*" } ] }
MNSAccessAccountAttr Permissions to view and configure Alibaba Cloud accounts { "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "mns:SetAccountAttributes", "mns:GetAccountAttributes" ], "Resource":"acs:mns:*:*:*" } ] }
LogServiceListPolicy Permissions to access the list of Log Service projects and Logstores { "Version":"1", "Statement":[ { "Effect":"Allow", "Action":"log:List*", "Resource":"acs:log:*:*:*" } ] }
OSSListBuckets Permissions to access the list of OSS buckets { "Version":"1", "Statement":[ { "Effect":"Allow", "Action":"oss:ListBuckets", "Resource":"acs:oss:*:*:*" } ] }
Step 2: Grant the required permissions to the RAM user
For more information, see Grant permissions to a RAM user.