After you attach system or custom policies to a Resource Access Management (RAM) user, the RAM user can use the defined permissions in the policies to access Alibaba Cloud resources. You can grant permissions to RAM users to access and manage ActionTrail. For example, RAM users can query events and manage trails and alerts. This topic describes how to grant RAM users the permissions to manage ActionTrail.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
The AliyunServiceRoleForActionTrail service-linked role is created. For more information, see Manage the service-linked role.
Procedure
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, set Authorized Scope to Alibaba Cloud Account and select a policy.
System Policy: the system policies. To specify system policies, select the required policies in the Authorization Policy Name column.
Policy
Description
AliyunActionTrailReadOnlyAccess
Provides read-only permissions on ActionTrail.
AliyunActionTrailFullAccess
Provides full permissions on ActionTrail.
AliyunOSSReadOnlyAccess
Provides read-only permissions on Object Storage Service (OSS).
AliyunLogReadOnlyAccess
Provides read-only permissions on Simple Log Service.
Custom Policy: the custom policies. To specify custom policies, select the required policies in the Authorization Policy Name column.
For more information about how to create a custom policy, see Create custom policies.
Example 1: Grant a RAM user full permissions on ActionTrail and the permissions to view OSS buckets and Simple Log Service projects. This way, the RAM user can manage trails.
Sample code:
{ "Version": "1", "Statement": [ { "Action": [ "actiontrail:*", "oss:GetService", "log:ListProject" ], "Resource": "*", "Effect": "Allow" } ] }
Policy content:
Action
Description
oss:GetService
Allows a RAM user to view OSS buckets.
log:ListProject
Allows a RAM user to view Simple Log Service projects.
actiontrail:*
Provides full permissions on ActionTrail.
Example 2: Grant a RAM user the permissions to manage trails in ActionTrail and the permissions to manage Logstores, indexes, dashboards, charts, and projects in Simple Log Service. This way, the RAM user can manage alerts.
Sample code:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "actiontrail:DescribeTrails", "actiontrail:SetDefaultTrail", "actiontrail:GetDefaultTrail", "actiontrail:CreateTrail" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex" ], "Resource": [ "acs:log:*:*:project/Project name/logstore/internal-alert-history", "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log" ] }, { "Effect": "Allow", "Action": [ "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard" ], "Resource": "acs:log:*:*:project/Project name/dashboard/*" }, { "Effect": "Allow", "Action": [ "log:*" ], "Resource": "acs:log:*:*:project/Project name/job/*" }, { "Effect": "Allow", "Action": [ "log:CreateProject" ], "Resource": [ "acs:log:*:*:project/sls-alert-*" ] } ] }
Policy content:
Action
Description
actiontrail:DescribeTrails
Allows a RAM user to query trails.
actiontrail:SetDefaultTrail
Allows a RAM user to specify the default trail for alerting.
actiontrail:GetDefaultTrail
Allows a RAM user to query the default trail for alerting.
actiontrail:CreateTrail
Allows a RAM user to create a trail.
log:CreateLogstore
Allows a RAM user to create a Logstore.
log:CreateIndex
Allows a RAM user to create an index.
log:UpdateIndex
Allows a RAM user to update an index.
log:CreateDashboard
Allows a RAM user to create a dashboard.
log:CreateChart
Allows a RAM user to create a chart.
log:UpdateDashboard
Allows a RAM user to update a dashboard.
log:CreateProject
Allows a RAM user to create a Simple Log Service project.
Click OK.
Click Complete.
References
For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
You can also call operations to grant permissions to a RAM user. For more information, see AttachPolicyToUser.