You can create a Resource Access Management (RAM) user and grant the required permissions to the RAM user. This allows the RAM user to access Log Service. This topic describes how to create a RAM user and authorize the RAM user to access Log Service.

Background information

Your business may require you to provide O&M personnel management permissions on Log Service resources, or other personnel may require access permissions on Log Service resources. In this case, you need to grant the required permissions to the personnel. The personnel can then access Log Service resources as RAM users. For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users.

To grant a RAM user the permissions to access Log Service resources of your Alibaba Cloud account, perform the following steps. For more information about RAM users, see Introduction.

Create a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. Specify the Logon Name and Display Name parameters.
  5. Select Console Password Logon, Programmatic Access, or both.
    • Console Password Logon: If you select this access mode, you must configure the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset at the next logon, and whether to enable multi-factor authentication (MFA).
    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use SDKs to access Alibaba Cloud resources.
    Note For account security, we recommend that you select only one access mode for a RAM user. This way, a RAM user who has left your organization can no longer access the Alibaba Cloud resources of the organization.
  6. Click OK.

Grant permissions to a RAM user

Log Service provides two system policies, including AliyunLogFullAccess that specifies full access to Log Service and AliyunLogReadOnlyAccess that specifies read-only access to Log Service. You can also create custom policies in the RAM console. For more information, see Create a custom policy. For more information about the policy examples, see Use custom policies to grant permissions to a RAM user and RAM policies of Log Service. To attach the AliyunLogReadOnlyAccess policy to a RAM user, perform the following steps:

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the RAM user, and then click Add Permissions in the Actions column.
  3. In the Add Permissions pane, click System Policy, select the AliyunLogReadOnlyAccess policy, and then click OK.
  4. Confirm the authorization result, and then click Complete.

Log on to the Alibaba Cloud Management Console as a RAM user

After you create a RAM user and grant permissions to the RAM user, you can log on to the Alibaba Cloud Management Console as the RAM user by using one of the following methods:

  • On the right side of the Overview page, click the link in the Account Management section. On the page that appears, log on by using the created RAM username and password.
  • Access Alibaba Cloud RAM User Logon page, and then log on by using the created RAM username and password.
    • Format 1: <$username>@<$AccountAlias>.onaliyun.com. Example: username@company-alias.onaliyun.com.
      Note The logon name of a RAM user is in the User Principal Name (UPN) format. <$username> indicates the username of a RAM user. <$AccountAlias>.onaliyun.com indicates the default domain name.
    • Format 2: <$username>@<$AccountAlias>. Example: username@company-alias.
      Note <$username> indicates the username of a RAM user. <$AccountAlias> indicates the account alias.