This topic describes how to use custom policies to grant permissions to a RAM user. In the RAM console, you can grant permissions to the RAM users under your Alibaba Cloud account.

Background information

For data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. You must grant the read-only permission on the project list to RAM users. Otherwise, the RAM users cannot view the projects in the project list. For more information, see Authorize a RAM user to connect to Log Service and Manage policies.

Use the RAM console to grant permissions to a RAM user

  • Read-only permission on projects
    For example, you want to use your Alibaba Cloud account to grant a RAM user the following permissions:
    • Permission to view the project list of the Alibaba Cloud account
    • Permission to read the project specified by the Alibaba Cloud account
    Use the following policy:
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["log:ListProject"],
           "Resource": ["acs:log:*:*:project/*"],
           "Effect": "Allow"
          },
         {
           "Action": [
             "log:Get*",
             "log:List*"
           ],
           "Resource": "acs:log:*:*:project/<name of the specified project>/*",
           "Effect": "Allow"
         }
       ]
     }
  • Permission to read a specified Logstore, save a search, and use the saved search
    For example, you want to use your Alibaba Cloud account to grant a RAM user the following permissions:
    • Permission to view the project list of the Alibaba Cloud account
    • Permission to read a specified Logstore, save a search, and use the saved search
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<name of the specified project>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/dashboard",
            "acs:log:*:*:project/<name of the specified project>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*",
            "log:Create*"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/savedsearch",
            "acs:log:*:*:project/<name of the specified project>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
    Note In the policy, if a resource does not end with an asterisk (*), the resource refers to the current resource. If a resource ends with an asterisk (*), the resource refers to the resources under the current resource.
  • Permission to read a specified Logstore and view all saved searches and dashboards in a project
    For example, you want to use your Alibaba Cloud account to grant a RAM user the following permissions:
    • Permission to view the project list of the Alibaba Cloud account
    • Permission to read a specified Logstore and view all saved searches and dashboards in a project
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<name of the specified project>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/dashboard",
            "acs:log:*:*:project/<name of the specified project>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/savedsearch",
            "acs:log:*:*:project/<name of the specified project>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

Use APIs to grant permissions to a RAM user

  • Permission to write data to a specified project
    To grant a RAM user only the permission to write data to a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*"
          ],
          "Resource": "acs:log:*:*:project/<name of the specified project>/*",
          "Effect": "Allow"
        }
      ]
    }
  • Permission to consume data of a specified project
    To grant a RAM user only the permission to consume data of a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": "acs:log:*:*:project/<name of the specified project>/*",
          "Effect": "Allow"
        }
      ]
    }
  • Permission to consume data of a specified Logstore
    To grant a RAM user only the permission to consume data of a specified Logstore, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>",
            "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

Related topics

For more information, see the following topics: