Before you use the access logging feature of Server Load Balancer (SLB) as a RAM user, you must use your Alibaba Cloud account to grant the permissions.

Prerequisites

The Alibaba Cloud account has enabled access logging.
  1. Log on to the RAM console with an Alibaba Cloud account.
  2. Click RAM Roles, and check whether the Alibaba Cloud account has a role named AliyunLogArchiveRole that allows a RAM user to use access logs.

    If the Alibaba Cloud account does not have the role, log on to the SLB console with the Alibaba Cloud account. Choose Logs > Access Logs, and click Authorize. In the message that appears, click Confirm Authorization Policy to authorize SLB to access Log Service.

    Note Authorization is required the first time you use the access logging feature.

Procedure

  1. Create a permission policy:
    1. Log on to the RAM console with the Alibaba Cloud account.
    2. In the left-side navigation pane, click Policies and click Create Policy.
    3. Enter a name for the permission policy. In this example, SlbAccessLogPolicySet is entered.
    4. Set Configuration Mode to %Script; and enter the following information:
      {
      "Statement": [
       {
         "Action": [
           "slb:Create*",
           "slb:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/logstore/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/dashboard/*"
       },
       {
         "Action": "cms:QueryMetric*",
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "slb:Describe*",
           "slb:DeleteAccessLogsDownloadAttribute",
           "slb:SetAccessLogsDownloadAttribute",
           "slb:DescribeAccessLogsDownloadAttribute"
         ],
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "ram:Get*",
           "ram:ListRoles"
         ],
         "Effect": "Allow",
         "Resource": "*"
       }
      ],
      "Version": "1"
      }
    5. Click OK.
  2. Authorize a RAM user:
    1. In the RAM console, choose Grants > Grant Permission.
    2. Specify Authorized Scope and Principle.
    3. In the Select Policy list, select the permission policy that you created.
    4. Click OK.
    5. Return to the Grants tab and check whether the RAM user is granted the new permission. If the RAM user is granted the new permission, you can use the access logging feature of SLB as the RAM user.