A trusted Alibaba Cloud service can assume a RAM role to access your Alibaba Cloud resources. This topic describes how to create a RAM role and assign the role to an Alibaba Cloud service.

Create a RAM role

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, select Alibaba Cloud Service as the trusted entity type, and then click Next.
  5. The following table describes the parameters of the role configuration.
    Parameter Description
    RAM Role Name Enter the name of the RAM role, for example, aliyunlogreadrole.
    Note Enter the description of the RAM role.
    Select Trusted Service Select Log Service from the drop-down list.
  6. Click Complete.

Grant a RAM role the permissions to access Log Service

  1. In the left-side navigation pane, click RAM Roles.
  2. On the RAM Roles page, find the RAM role, and then click Add Permissions in the Actions column.
  3. In the Add Permissions pane, click System Policy, select the AliyunLogReadOnlyAccess policy, and then click OK.
  4. Confirm the authorization result, and then click Complete.