Log Service provides features that can be used together with Resource Access Management (RAM) policies and Security Token Service (STS) temporary credentials. You can use these features to manage resource access in Log Service.

User-based RAM policies

RAM is a resource access control service provided by Alibaba Cloud. You can configure RAM policies based on users. You can manage user permissions when you configure RAM policies. You can create RAM users for employees, systems, and applications. You can grant users permissions to access the resources of your Alibaba Cloud account. You can also manage the permissions that are granted to specific users on specific resources. For example, you can create a RAM policy to grant users read-only permissions on specific resources in a project or a Logstore.

A RAM policy is in the JSON format. You can write a RAM policy when you specify the Action, Effect, Resource, and Condition elements in the Statement field. You can add multiple statements to a policy to help you manage authorization in a more efficient manner.

For more information, see RAM overview.

Temporary access authorization based on STS

RAM policies allow you to access resources for a long period of time. If you want users to access resources only for a short period of time, you can use STS to create temporary credentials. You can call STS API operations to obtain temporary AccessKey pairs and tokens. Then, you can send the AccessKey pairs and tokens to temporary users to access Log Service. The permissions that are obtained by using STS are restricted and have time limits. The risk of temporary credentials being leaked does have the same level of risks as other credentials.

You can use STS to grant temporary access to Log Service. You can use STS to grant a third-party application or a RAM user that you manage an access credential that has a custom validity period and custom permissions.

For more information, see Use STS to enable cross-account access to Log Service resources.