Authorize a RAM user to use access logs

Edit in GitHub

Last Updated: May 28, 2019 Edit in GitHub

Before a RAM user starts to use the access log function, the RAM user must be authorized by the corresponding Alibaba Cloud account.

Prerequisites

The account has enabled the access log function.

Log on to the RAM console by using the credentials of your account.
Click Roles to see whether the account has the AliyunLogArchiveRole.
If the account does not have this role, log on to the SLB console by using the credentials of the account, select Logs > Access Logs, click Authorize. In the displayed dialog box, click Confirm Authorization Policy.

Note This operation is required only at the first time.

Procedure

Create an authorization policy:

Log on to the RAM console by using the credentials of your account.
In the left-side navigation pane, click Policies, and then click Create Authorization Policy.
Click Blank Template.

Enter a policy name, such as SlbAccessLogPolicySet, and then enter the following policy. Click Create Authorization Policy.

{
"Statement ":[
 {
   "Action ":[
     "slb:Create*",
     "slb:List*"
   ],
   "Effect": "Allow",
   "Resource": "acs:log:*:*:project/*"
 },
 {
   "Action": [
     "log:Create*",
     "log:List*"
   ],
   "Effect": "Allow",
   "Resource": "acs:log:*:*:project/*"
 },
 {
   "Action": [
     "log:Create*",
     "log:List*",
     "log:Get*",
     "log:Update*"
   ],
   "Effect": "Allow",
   "Resource": "acs:log:*:*:project/*/logstore/*"
 },
 {
   "Action": [
     "log:Create*",
     "log:List*",
     "log:Get*",
     "log:Update*"
   ],
   "Effect": "Allow",
   "Resource": "acs:log:*:*:project/*/dashboard/*"
 },
 {
   "Action": "cms:QueryMetric*",
   "Resource": "*",
   "Effect": "Allow"
 },
 {
   "Action": [
     "slb:Describe*",
     "slb:DeleteAccessLogsDownloadAttribute",
     "slb:SetAccessLogsDownloadAttribute",
     "slb:DescribeAccessLogsDownloadAttribute"
   ],
   "Resource": "*",
   "Effect": "Allow"
 },
 {
   "Action": [
     "ram:Get*",
     "ram:ListRoles"
   ],
   "Effect": "Allow",
   "Resource": "*"
 }
],
"Version": "1"
}

Click Close.

Attach the created policy to the RAM user:
1. In the left-side navigation pane, click Users.
2. Find the target RAM user (the user who uses the SLB access log function) and click Authorize.
3. Search the created authorization policy and attach the policy to the RAM user.
4. Click OK.
5. Go back to the user details page to check whether the policy has been attached to the target RAM user.