The permission policy AliyunActionTrailDeliveryPolicy is used to grant permissions related to event delivery. This topic describes the scenarios that the permission policy is applicable to and the permissions of the policy.
Scenarios
- Access Log Service
If you specify a Log Service project to store event logs, ActionTrail must create a Logstore in the specified project and write event logs to the Logstore. In this case, ActionTrail must use the AliyunActionTrailDeliveryPolicy policy to obtain the permissions to access Log Service.
- Access Object Storage Service (OSS)
If you specify an OSS bucket to store event logs, ActionTrail must write event logs to the specified OSS bucket. In this case, ActionTrail must use the AliyunActionTrailDeliveryPolicy policy to obtain the permissions to access OSS.
Permissions
Policy: AliyunActionTrailDeliveryPolicy
The following code block shows the AliyunActionTrailDeliveryPolicy permission policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetBucketLocation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetProject"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:CreateLogstore",
"log:GetLogstore",
"log:CreateIndex",
"log:UpdateIndex",
"log:GetIndex"
],
"Resource": "acs:log:*:*:project/*/logstore/actiontrail_*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateDashboard",
"log:UpdateDashboard"
],
"Resource": "acs:log:*:*:project/*/dashboard/*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateSavedSearch",
"log:UpdateSavedSearch"
],
"Resource": "acs:log:*:*:project/*/savedsearch/actiontrail_*",
"Effect": "Allow"
}
]
}
The permission policy allows ActionTrail to access resources in Log Service and OSS. The following table describes the operations that are allowed by the permission policy.
Action | Description |
---|---|
oss:GetBucketLocation | Obtains the region where a specified OSS bucket resides. |
oss:PutObject | Writes event logs to a specified OSS bucket. |
log:GetProject | Queries whether a Log Service project exists. |
log:PostLogStoreLogs | Writes event logs to a specified Log Service Logstore. |
log:GetLogstore | Queries whether a Log Service Logstore exists. |
log:CreateLogstore | Creates a Log Service Logstore. |
log:CreateIndex | Creates an index. |
log:UpdateIndex | Updates an index. |
log:GetIndex | Obtains an index. |
log:CreateDashboard | Creates a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:CreateSavedSearch | Creates a saved search. |
log:UpdateSavedSearch | Updates a saved search. |