You can use RAM to grant permissions to RAM users under your Alibaba Cloud account.

Your Alibaba Cloud account can grant its RAM users the permissions to access or operate Log Service. You can grant system policies and custom policies to RAM users.

Precautions

  • To maintain Log Service security, we recommend that you follow the principle of least privilege (PoLP). That is, do not grant RAM users any permissions beyond their requirements.
  • In normal cases, you only need to grant RAM users the read-only permission for the project list so that they can view resources in the project list.
  • log:ListProject provide the permission to view the project list.
    • RAM users with this permission can view all projects but cannot specify the project they want view.
    • RAM users without this permission cannot view any project.

Read-only permission for the project list and specified project in the console

If an Alibaba Cloud account needs to grant RAM users the following permissions:
  1. Permission to view the project list under the Alibaba Cloud account
  2. Read-only permission to the project specified by the Alibaba Cloud account

The policy that can grant RAM users both the permissions is as follows:

{
   "Version": "1",
   "Statement": [
     {
       "Action": ["log:ListProject"],
       "Resource": ["acs:log:*:*:project/*"],
       "Effect": "Alow"
      },
     {
       "Action": [
         "log:Get*",
         "log:List*"
       ],
       "Resource": "acs:log:*:*:project/<name of the specified project>/*",
       "Effect": "Allow"
     }
   ]
 }

Read-only permission for the specified Logstore and the permissions to create and use saved searches

If an Alibaba Cloud account needs to grant RAM users the following permissions:
  1. Permission to view the project list under the Alibaba Cloud account
  2. Read-only permission for the specified Logstore and the permissions to create and use saved searches

The policy that can grant RAM users both the permissions is as follows:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<name of the specified project>/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/dashboard",
        "acs:log:*:*:project/<name of the specified project>/dashboard/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*",
        "log:Create*"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/savedsearch",
        "acs:log:*:*:project/<name of the specified project>/savedsearch/*"
      ],
      "Effect": "Allow"
    }
  ]
}

Read-only permission for all saved searches, dashboards, and the specified Logstore in the specified project in the console

If an Alibaba Cloud account needs to grant RAM users the following permissions:
  1. Permission to view the project list under the Alibaba Cloud account
  2. Permissions to view the specified Logstore and all saved searches and dashboards
Note If you want to grant the read-only permission for the specified Logstore to RAM users, you must also grant the RAM users the permission to view all saved searches and dashboards.

The policy that can grant RAM users both the permissions is as follows:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<name of the specified project>/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/dashboard",
        "acs:log:*:*:project/<name of the specified project>/dashboard/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/savedsearch",
        "acs:log:*:*:project/<name of the specified project>/savedsearch/*"
      ],
      "Effect": "Allow"
    }
  ]
}

Permission to write data to the specified project through API calls

You can grant RAM users the permission to only write data to the specified project.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:Post*"
      ],
      "Resource": "acs:log:*:*:project/<name of the specified project>/*",
      "Effect": "Allow"
    }
  ]
}

Permission to consume the specified project through API calls

You can grant RAM users the permission to only consume data of the specified project.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": "acs:log:*:*:project/<name of the specified project>/*",
      "Effect": "Allow"
    }
  ]
}

Permission to consume the specified Logstore through API calls

You can grant RAM users the permission to only consume data of the specified project.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": [
        "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>",
        "acs:log:*:*:project/<name of the specified project>/logstore/<name of the specified Logstore>/*"
      ],
      "Effect": "Allow"
    }
  ]
}