After you create a RAM user and authorize the RAM user to access Log Service, you can use the RAM user to manage your resources in Log Service. This topic describes how to create a RAM user and authorize the RAM user to access Log Service.

Background information

You may need to grant O&M staff the permissions to manage your Log Service resources and grant other staff the permissions to access Log Service resources based on your business requirements. In this case, you can create RAM users and grant required permissions to the RAM users. Then, the related staff such as the O&M staff can access Log Service resources as RAM users. For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. For more information about RAM users, see Introduction.

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, specify Logon Name and Display Name in the User Account Information section.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select Console Access or Programmatic Access.
    • Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note We recommend that you select only one access mode for the RAM user to ensure the security of your Alibaba Cloud account. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 2: Grant permissions to the RAM user

By default, a RAM user has no permissions. After you create a RAM user, you must attach system policies or custom policies to the RAM user before the RAM user can perform related operations. Resource Access Management (RAM) provides the following two system policies for Log Service:
  • AliyunLogFullAccess: the permissions to manage all Log Service resources.
  • AliyunLogReadOnlyAccess: the read-only permissions on all Log Service resources.

If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create a custom policy. For information about the examples of policies, see Use custom policies to grant permissions to a RAM user and Overview.

To attach the AliyunLogReadOnlyAccess policy to a RAM user, perform the following steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, select the AliyunLogReadOnlyAccess policy and click OK.
  5. Confirm the authorization result and click Complete.

What to do next

Log on to the console as a RAM user