Before a RAM user uses the access log function, the RAM user must be authorized by
the corresponding Alibaba Cloud account.
Prerequisites
The account has enabled the access log function.
- Log on to the RAM console by using the credentials of your account.
- Click Roles to see whether the account has the AliyunLogArchiveRole.
If the account does not have this role, log on to the SLB console by using the credentials
of the account, select , click Authorize. In the displayed dialog box, click Confirm Authorization Policy.
Note This operation is required only at the first time.
Procedure
- Create an authorization policy:
- Log on to the RAM console by using the credentials of your account.
- In the left-side navigation pane, click Policies, and then click Create Authorization Policy.
- Click Blank Template.
- Enter a policy name, such as SlbAccessLogPolicySet, and then enter the following policy. Click Create Authorization Policy.
{
"Statement": [
{
"Action": [
"slb:Create*",
"slb:List*"
],
"Effect": "Allow",
"Resource": "acs:log:*:*:project/*"
},
{
"Action": [
"log:Create*",
"log:List*"
],
"Effect": "Allow",
"Resource": "acs:log:*:*:project/*"
},
{
"Action": [
"log:Create*",
"log:List*",
"log:Get*",
"log:Update*"
],
"Effect": "Allow",
"Resource": "acs:log:*:*:project/*/logstore/*"
},
{
"Action": [
"log:Create*",
"log:List*",
"log:Get*",
"log:Update*"
],
"Effect": "Allow",
"Resource": "acs:log:*:*:project/*/dashboard/*"
},
{
"Action": "cms:QueryMetric*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:Describe*",
"slb:DeleteAccessLogsDownloadAttribute",
"slb:SetAccessLogsDownloadAttribute",
"slb:DescribeAccessLogsDownloadAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:Get*",
"ram:ListRoles"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
- Click Close.
- Attach the created policy to the RAM user:
- In the left-side navigation pane, click Users.
- Find the target RAM user (the user who uses the SLB access log function) and click
Authorize.
- Search the created authorization policy and attach the policy to the RAM user.
- Click OK.
- Go back to the user details page to check whether the policy has been attached to
the target RAM user.