You can authorize a Resource Access Management (RAM) user to connect to Log Service, so other users can use the RAM user to access Log Service resources. This topic describes how to authorize a RAM user to connect to Log Service.

Background information

In your business scenarios, you can allow the RAM users for your Alibaba Cloud account to manage and maintain Log Service. You can also allow the RAM users to access Log Service resources. For these purposes, you must authorize the RAM users for your Alibaba Cloud account to access or manage Log Service resources. To secure data, we recommend that you grant the minimum permissions that are required for the RAM users.

The following steps describe how to authorize a RAM user for your Alibaba Cloud account to access Log Service resources. For more information about RAM users, see Introduction.

Create a RAM user

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Users under Identities.
  3. Click Create User.
    Note To create multiple RAM users at a time, click Add User.
  4. Specify the Logon Name and Display Name parameters.
  5. Under Access Mode, select Console Password Logon or Programmatic Access.
    • Console Password Logon: If you select this check box, you must also complete the basic security settings for logon, including deciding whether to automatically generate a password or customize the logon password, whether the user must reset the password upon the next logon, and whether to enable multi-factor authentication (MFA).
    • Programmatic Access: If you select this check box, an AccessKey pair is automatically created for the RAM user. The user can access Alibaba Cloud resources by calling an API operation or by using a development tool.
    Note We recommend that you select only one access mode for the RAM users to ensure the security of your Alibaba Cloud account. This prevents RAM users who have terminated their employment contracts with the company from accessing Alibaba Cloud resources.
  6. Click OK.

Grant a permission to a RAM user

Log Service provides the system policies, including AliyunLogFullAccess that specifies the management permission and AliyunLogReadOnlyAccess that specifies the read-only permission. You can also customize policies in the RAM console. For more information, see Create custom policies. For more information about the policy examples, see Use custom policies to grant permissions to a RAM user and Integrate Log Service with RAM. The following steps describe how to grant the permission specified in the AliyunLogReadOnlyAccess policy.

  1. In the left-side navigation pane, click Grants under Permissions.
  2. Click Grant Permission.
  3. Under Principal, enter the username, and click the target RAM user.
  4. In the Policy Name column, select AliyunLogReadOnlyAccess, and click OK.
  5. Click OK.
  6. Click Finished.

Log on to the Log Service console as a RAM user.

After you create a RAM user and grant the specified permission to the RAM user, you can log on to the Log Service as the RAM user. You can log on to the console as a RAM user in any of the following ways:

  • On the Overview page in the RAM console, click the URL for logon, and use the user name and password of the RAM user to log on to the Log Service console.Use a RAM user to log on to the Log Service console
  • Click here to go to the RAM User Logon page, and use the user name and password of the RAM user to log on to the Log Service console. You can enter the user name and password in one of the following formats:
    • Format 1: <$username>@<$AccountAlias>.onaliyun.com. For example: username@company-alias.onaliyun.com.
      Note The user name of a RAM user must be in the User Principal Name (UPN) format. All user logon names listed in the RAM console use this format. <$username> specifies the user name of the RAM user, and <$AccountAlias>.onaliyun.com specifies the default domain name of the RAM user.
    • Format 2: <$username>@<$AccountAlias>. For example: username@company-alias.
      Note <$username> specifies the user name of the RAM user, and <$AccountAlias> specifies the alias of the RAM user.