This topic describes how to create a RAM role whose trusted entity is an Alibaba Cloud service and authorize the RAM role to access Simple Log Service resources. This type of RAM role is used to authorize access across Alibaba Cloud services.
Step 1: Create a RAM role
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
In the Select Role Type step, select Alibaba Cloud Service in the Trusted entity type section and click Next.
In the Configure Role step, set the parameters and click OK. The following table describes the parameters.
Parameter
Description
Role Type
Select Normal Service Role.
RAM Role Name
Enter the name of the RAM role, for example, aliyunlogreadrole.
Note
Enter the description of the RAM role.
Select Trusted Service
Select Simple Log Service from the drop-down list.
In the Finish step, click Close.
Step 2: Grant permissions to the RAM role
After you create a RAM role, the RAM role does not have permissions. Before Simple Log Service assumes the RAM role to perform operations, you must attach the required system policies or custom policies to the RAM role. Resource Access Management (RAM) provides the following two system policies for Simple Log Service:
AliyunLogFullAccess: the permissions to manage all Simple Log Service resources.
AliyunLogReadOnlyAccess: the read-only permissions on all Simple Log Service resources.
If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create a custom policy. For information about the examples of policies, see Use custom policies to grant permissions to a RAM user and Overview.
To attach the AliyunLogReadOnlyAccess policy to a RAM role, perform the following steps:
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role and click Add Permissions in the Actions column.
In the Add Permissions panel, select the AliyunLogReadOnlyAccess policy and click OK.
Confirm the authorization result and click Complete.