This topic describes how to authorize a Resource Access Management (RAM) user to manage alerts.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Background information
You can grant the read-only and management permissions on alerts to a RAM user in one of the following modes:
Simple mode: You can grant the permissions to the RAM user without the need to configure parameters.
Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, the configurations in this mode are complex.
Read-only permissions on alerts
Simple mode
Log on to the RAM console with your Alibaba Cloud account. Then, attach the AliyunLogReadOnlyAccess policy to the RAM user. This way, the RAM user has the read-only permissions on alerts. For more information, see Grant permissions to a RAM user.
Custom mode
Log on to the RAM console by using your Alibaba Cloud account.
Create a policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.
Project name specifies the project whose alerts you want to grant the read-only permissions on. Replace the variable with an actual project name.
sls-alert-* specifies all projects to which the global alert center belongs within your Alibaba Cloud account. The projects store data of the alerts within your Alibaba Cloud account. The data includes the evaluation data for each alert rule, logs recorded based on each alert rule, and global reports that are related to alerts.
If you do not need to view the global reports, you can delete
acs:log:*:*:project/sls-alert-*/*from the resource list.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "log:GetJob", "log:ListJobs" ], "Resource": "acs:log:*:*:project/Project name/job/*" }, { "Effect": "Allow", "Action": [ "log:GetLogStoreLogs", "log:ListLogStores", "log:GetIndex", "log:GetDashboard", "log:ListDashboard" ], "Resource": [ "acs:log:*:*:project/Project name", "acs:log:*:*:project/Project name/*", "acs:log:*:*:project/sls-alert-*/*" ] }, { "Effect": "Allow", "Action": [ "log:GetResource", "log:ListResources", "log:GetResourceRecord", "log:ListResourceRecords" ], "Resource": [ "acs:log:*:*:resource/*" ] } ] }Configure the Name parameter and click OK.
Grant permissions to the RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
In the Select Policy section of the Add Permissions panel, click Custom Policy, select the policy that you created in Step 2, and then click OK.
Verify that the policy is attached to the RAM user and click Complete.
Management permissions on alerts
Simple mode
Log on to the RAM console with your Alibaba Cloud account. Then, attach the AliyunLogFullAccess policy to the RAM user. This way, the RAM user has management permissions on Simple Log Service. For more information, see Grant permissions to a RAM user.
Custom mode
Log on to the RAM console by using your Alibaba Cloud account.
Create a policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.
Project name specifies the project whose alerts you want to grant the management permissions on. Replace the variable with an actual project name.
sls-alert-* specifies all projects to which the global alert center belongs within your Alibaba Cloud account. The projects store data of the alerts within your Alibaba Cloud account. The data includes the evaluation data for each alert monitoring rule, logs recorded based on each alert monitoring rule, and global reports that are related to alerts.
If you want to authorize a RAM user to manage only one project to which the global alert center belongs, you must set sls-alert-* to the name of the project in the
sls-alert-${uid}-${region}format. Example: sls-alert-148****6461-cn-hangzhou.If you want to use a RAM user to manage alert-related system Logstores, such as Logstores that store historical alerts and Logstores to which the global alert center belongs, you must grant the RAM user the permissions to create Logstores, create indexes, and update indexes. Then, you can use the RAM user to view alert-related reports such as Alert History.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex" ], "Resource": [ "acs:log:*:*:project/Project name/logstore/internal-alert-history", "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log" ] }, { "Effect": "Allow", "Action": [ "log:*" ], "Resource": "acs:log:*:*:project/Project name/job/*" }, { "Effect": "Allow", "Action": [ "log:CreateProject" ], "Resource": [ "acs:log:*:*:project/sls-alert-*" ] }, { "Effect": "Allow", "Action": [ "log:GetLogStoreLogs", "log:ListLogStores", "log:GetIndex", "log:GetDashboard", "log:CreateDashboard", "log:UpdateDashboard", "log:ListDashboard" ], "Resource": [ "acs:log:*:*:project/Project name", "acs:log:*:*:project/Project name/*", "acs:log:*:*:project/sls-alert-*/*" ] }, { "Effect": "Allow", "Action": [ "log:*" ], "Resource": [ "acs:log:*:*:resource/*" ] } ] }Configure the Name parameter and click OK.
Grant permissions to the RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
In the Select Policy section of the Add Permissions panel, click Custom Policy, select the policy that you created in Step 2, and then click OK.
Verify that the policy is attached to the RAM user and click Complete.