This topic describes how to authorize a Resource Access Management (RAM) user to use the access logs feature of Classic Load Balancer (CLB) with your Alibaba Cloud account. To use the access logs feature, RAM users must acquire the required permissions.

Prerequisites

The Alibaba Cloud account has enabled the access logs feature.
  1. Use the Alibaba Cloud account to log on to the RAM console.
  2. Click RAM Roles, and check whether the AliyunLogArchiveRole role is attached with the Alibaba Cloud account. This role allows CLB to access Log Service.

    If the role does not exist, log on to the Server Load Balancer (SLB) console with the Alibaba Cloud account. Choose CLB (FKA SLB) > Logs > Access Logs, and click Authorize. In the message that appears, click Confirm Authorization Policy to authorize CLB to access Log Service.

    Note You need only to perform this authorization once.

Procedure

  1. Perform the following steps to create a permission policy:
    1. Log on to the RAM console with the Alibaba Cloud account.
    2. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.
    3. Enter a name for the permission policy. In this example, SlbAccessLogPolicySet is entered.
    4. Set Configuration Mode to %Script; and enter the following content:
      {
      "Statement": [
       {
         "Action": [
           "slb:Create*",
           "slb:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/logstore/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/dashboard/*"
       },
       {
         "Action": "cms:QueryMetric*",
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "slb:Describe*",
           "slb:DeleteAccessLogsDownloadAttribute",
           "slb:SetAccessLogsDownloadAttribute",
           "slb:DescribeAccessLogsDownloadAttribute"
         ],
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "ram:Get*",
           "ram:ListRoles"
         ],
         "Effect": "Allow",
         "Resource": "*"
       }
      ],
      "Version": "1"
      }
    5. Click OK.
  2. Perform the following steps to authorize a RAM user:
    1. In the left-side navigation pane of the RAM console, choose Permissions > Grants and click Grant Permission.
    2. Specify Authorized Scope and Principle.
    3. In the Select Policy list, select the permission policy that you created.
    4. Click OK.
    5. Return to the Grants page and check whether permission policy is attached to the RAM user. After the permission policy is attached to the RAM user, the RAM user can use the access logs feature of CLB.