This topic describes how to use custom policies to grant permissions to a RAM user.

Notice For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. You must grant RAM users the read-only permissions on the project list before the RAM user can view the projects in the project list. For more information, see Create a RAM user and authorize the RAM user to access Log Service and Manage Policies.

Grant permissions to a RAM user in the RAM console

  • The read-only permissions on projects
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on the projects that are specified by the Alibaba Cloud account
    Note If you grant a RAM user the read-only permissions on a project, the RAM user cannot view the logs in the project. You must also grant the read-only permissions on specific Logstores in the project.
    Use the following policy:
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["log:ListProject"],
           "Resource": ["acs:log:*:*:project/*"],
           "Effect": "Allow"
          },
         {
           "Action": [
             "log:Get*",
             "log:List*"
           ],
           "Resource": "acs:log:*:*:project/<Project name>/*",
           "Effect": "Allow"
         }
       ]
     }
  • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/dashboard",
            "acs:log:*:*:project/<Project name>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*",
            "log:Create*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/savedsearch",
            "acs:log:*:*:project/<Project name>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in a project
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in the project to which the Logstore belongs
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/dashboard",
            "acs:log:*:*:project/<Project name>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/savedsearch",
            "acs:log:*:*:project/<Project name>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

Use API operations to grant permissions to a RAM user

  • The permissions to write data to a specified project
    To grant a RAM user only the permissions to write data to a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to consume data from a specified project
    To grant a RAM user only the permissions to consume data from a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to consume data from a specified Logstore
    To grant a RAM user only the permissions to consume data from a specified Logstore, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

References

For more information, see the following topics: