All Products
Search
Document Center

Simple Log Service:Create a RAM role whose trusted entity is an Alibaba Cloud service and authorize the RAM role to access Simple Log Service

Last Updated:Oct 26, 2023

This topic describes how to create a RAM role whose trusted entity is an Alibaba Cloud service and authorize the RAM role to access Simple Log Service resources. This type of RAM role is used to authorize access across Alibaba Cloud services.

Step 1: Create a RAM role

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the Select Role Type step, select Alibaba Cloud Service in the Trusted entity type section and click Next.

  5. In the Configure Role step, set the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Role Type

    Select Normal Service Role.

    RAM Role Name

    Enter the name of the RAM role, for example, aliyunlogreadrole.

    Note

    Enter the description of the RAM role.

    Select Trusted Service

    Select Simple Log Service from the drop-down list.

  6. In the Finish step, click Close.

Step 2: Grant permissions to the RAM role

After you create a RAM role, the RAM role does not have permissions. Before Simple Log Service assumes the RAM role to perform operations, you must attach the required system policies or custom policies to the RAM role. Resource Access Management (RAM) provides the following two system policies for Simple Log Service:

  • AliyunLogFullAccess: the permissions to manage all Simple Log Service resources.

  • AliyunLogReadOnlyAccess: the read-only permissions on all Simple Log Service resources.

If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create a custom policy. For information about the examples of policies, see Use custom policies to grant permissions to a RAM user and Overview.

To attach the AliyunLogReadOnlyAccess policy to a RAM role, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the RAM role and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, select the AliyunLogReadOnlyAccess policy and click OK.

  5. Confirm the authorization result and click Complete.