All Products
Search
Document Center

Server Load Balancer:Authorize a RAM user to use the access log feature of CLB

Last Updated:Nov 13, 2023

This topic describes how to authorize a Resource Access Management (RAM) user to use the access log feature of Classic Load Balancer (CLB). You need to use your Alibaba Cloud account to perform the authorization.

Prerequisites

The access log feature is enabled for your Alibaba Cloud account. For more information, see Enable the access log management feature.

Create a policy

This section describes how to create a custom policy on the JSON tab. You can also create a policy on the Visual editor tab. For more information, see the Create a custom policy on the Visual editor tab section of the "Create a custom policy" topic.

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. On the JSON tab, enter the following code and click Next to edit policy information.

    {
      "Statement": [
       {
         "Action": [
           "slb:Create*",
           "slb:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/logstore/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/dashboard/*"
       },
       {
         "Action": "cms:QueryMetric*",
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "slb:Describe*",
           "slb:DeleteAccessLogsDownloadAttribute",
           "slb:SetAccessLogsDownloadAttribute",
           "slb:DescribeAccessLogsDownloadAttribute"
         ],
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "ram:Get*",
           "ram:ListRoles"
         ],
         "Effect": "Allow",
         "Resource": "*"
       }
      ],
      "Version": "1"
    }
  6. Specify the Name and Description fields.

  7. Check and optimize the document of the custom policy.

    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Deletes unnecessary conditions.

      • Deletes unnecessary arrays.

    • Optional: Advanced optimization

      You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:

      • Splits resources or conditions that are incompatible with actions.

      • Narrows down resources.

      • Deduplicates or merges policy statements.

  8. Click OK.

Attach the policy to a RAM user

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Grant Permissions panel, grant permissions to the RAM role.
    1. Set the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM role to which permissions are granted.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.
  7. Return to the Grants page and check whether the policy is attached to the RAM user. If the policy is attached to the RAM user, the RAM user can use the access log feature of CLB.