This topic describes how to use custom policies to grant permissions to a RAM user. In the RAM console, you can grant permissions to the RAM users under your Alibaba Cloud account.

Background information

For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. You must grant the read-only permission on the project list to RAM users. Otherwise, the RAM users cannot view the projects in the project list. For more information, see Create a RAM user and authorize the RAM user to access Log Service and Manage Policies.

Use the RAM console to grant permissions to a RAM user

  • The read-only permission on projects
    For example, you need to use your Alibaba Cloud account to grant a RAM user the following permissions:
    • The permission to view the project list of the Alibaba Cloud account
    • The permission to read the projects that are specified by the Alibaba Cloud account
    Use the following policy:
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["log:ListProject"],
           "Resource": ["acs:log:*:*:project/*"],
           "Effect": "Allow"
          },
         {
           "Action": [
             "log:Get*",
             "log:List*"
           ],
           "Resource": "acs:log:*:*:project/<The name of the project>/*",
           "Effect": "Allow"
         }
       ]
     }
  • The permission to read a specified Logstore, save a search, and use the saved search
    For example, you need to use your Alibaba Cloud account to grant a RAM user the following permissions:
    • The permission to view the project list of the Alibaba Cloud account
    • The permission to read a specified Logstore, save a search, and use the saved search
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<The name of the project>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/logstore/<The name of the Logstore>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/dashboard",
            "acs:log:*:*:project/<The name of the project>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*",
            "log:Create*"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/savedsearch",
            "acs:log:*:*:project/<The name of the project>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
    Note In the policy, a resource that does not end with an asterisk (*) indicates the current resource. A resource that ends with an asterisk (*) indicates all resources under the current resource.
  • The permission to read a specified Logstore and view all saved searches and dashboards in a project
    For example, you need to use your Alibaba Cloud account to grant a RAM user the following permissions:
    • The permission to view the project list of the Alibaba Cloud account
    • The permission to read a specified Logstore and view all saved searches and dashboards in a project
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<The name of the project>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/logstore/<The name of the Logstore>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/dashboard",
            "acs:log:*:*:project/<The name of the project>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/savedsearch",
            "acs:log:*:*:project/<The name of the project>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

Use API operations to grant permissions to a RAM user

  • The permission to write data to a specified project
    To grant a RAM user only the permission to write data to a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*"
          ],
          "Resource": "acs:log:*:*:project/<The name of the project>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permission to consume data of a specified project
    To grant a RAM user only the permission to consume data of a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": "acs:log:*:*:project/<The name of the project>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permission to consume data of a specified Logstore
    To grant a RAM user only the permission to consume data of a specified Logstore, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/<The name of the project>/logstore/<The name of the Logstore>",
            "acs:log:*:*:project/<The name of the project>/logstore/<The name of the Logstore>/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

References

For more information, see the following topics: