To monitor data across multiple projects, regions, or Alibaba Cloud accounts, you must use your Alibaba Cloud account or a RAM user to authorize Simple Log Service to read data from the required Logstores or Metricstores. The RAM user must have permissions to perform operations that are related to the alerting feature.
Authorization methods
You can use the default method to authorize Simple Log Service. You can also assign the built-in role or a custom role to Simple Log Service based on your business requirements. After you complete the authorization, Simple Log Service can access Logstores and Metricstores.
Authorization method | Scenario |
Use the default method | If you use an alert monitoring rule to monitor data in the Logstores and Metricstores of a project, you can use the default method to authorize Simple Log Service. In this case, the alert monitoring rule belongs to the project. |
Assign the built-in role to Log Service | If you use an alert monitoring rule that belongs to a project to monitor data in the Logstores and Metricstores of other projects, you can assign the built-in role to Simple Log Service. These projects belong to the same Alibaba Cloud account, but the data is stored in different projects or regions. |
Assign a custom role to Log Service | If you use an alert monitoring rule to monitor data across multiple Alibaba Cloud accounts, or across multiple regions or projects that belong to the same Alibaba Cloud account, you can assign a custom role to Simple Log Service. You can use custom roles to perform fine-grained access control. |
You can authorize a RAM user to query data in Metricstores or Logstores. In this case, the RAM user must assume a built-in role or custom role. In these cases, you must grant the RAM user the ram:PassRole permission of the role. The following script shows the permission policy. For more information, see Authorize a RAM user to manage alerts.
{
"Action": "ram:PassRole",
"Effect": "Allow",
"Resource": "acs:ram::Alibaba Cloud account ID:role ARN"
}Use the default method to authorize Simple Log Service
If you use an alert monitoring rule to monitor data in the Logstores and Metricstores of a project, you can use the default method to authorize Simple Log Service. To use the default method to authorize Simple Log Service when you create an alert monitoring rule, select Default from the Authorization drop-down list on the Advanced Settings tab in the Query Statistics dialog box. For more information, see Create an alert rule for logs.
Assign the built-in role to Simple Log Service
If you use an alert monitoring rule to monitor data in the Logstores and Metricstores of multiple projects that belong to the same Alibaba Cloud account, you can assign the AliyunSLSAlertMonitorRole built-in role to Simple Log Service. Then, Simple Log Service can read data from the Logstores and Metricstores. To assign the AliyunSLSAlertMonitorRole built-in role to Simple Log Service when you create an alert monitoring rule, perform the following steps. For more information, see Create an alert rule for logs.
In the Alert Monitoring Rule panel, click the text box in the Query Statistics field.
On the Advanced Settings tab, select Built-in Role from the Authorization drop down list.
If you configure the built-in role for the first time, click Authorize.
NoteIf you use a RAM user, you must use your Alibaba Cloud account to authorize the RAM user.
On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
Assign a custom role to Simple Log Service to monitor data within an Alibaba Cloud account
You can use a custom role to monitor data in the Logstores and Metricstores of multiple projects that belong to the same Alibaba Cloud account.
Before you perform the following steps, you must create a RAM role. For more information, see Step 1: Create a RAM role.
Log on to the RAM console.
Create a policy to manage alerts.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.
Parameter
Description
Policy Name
The name of the policy, for example, sls-alert-monitor-1-policy.
Configuration Mode
Select Script.
Policy Document
The content of the policy. Replace the content in the editor with the following script. Replace Project name with the name of the project in which you want to create an alert monitoring rule.
You can modify the policy to perform fine-grained access control. For example, if you want to authorize the role to create alert monitoring rules in only one project, you can specify the project in the Resource element of the following policy, for example,
acs:log:*:*:project/my-project.{ "Statement": [ { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:*" ] }, { "Action": [ "log:ListLogStores", "log:GetLogStoreLogs", "log:GetIndex" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:project/Project name/*" ] } ], "Version": "1" }Click OK.
Attach the policy to the RAM role.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role and click Add Permissions in the Actions column.
On the Custom Policy tab, select the policy that you created in Step 2. Then, click OK. In this example, the policy is sls-alert-monitor-1-policy.
Confirm the authorization result and click Complete.
On the Roles page, click the name of the RAM role.
On the page that appears, click the Trust Policy Management tab. Then, click Edit Trust Policy.
Add log.aliyuncs.com to the Service element. The following policy allows Simple Log Service to obtain a temporary token to manage the resources of the Alibaba Cloud account.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
In the Basic Information section of the details page of the RAM role, obtain the Alibaba Cloud Resource Name (ARN).
After you complete the authorization, you can use the ARN of the RAM role when you create an alert monitoring rule. For more information, see Create an alert rule for logs.
Assign a custom role to Simple Log Service to monitor data across multiple Alibaba Cloud accounts
You can use a custom role to monitor data in the Logstores and Metricstores of multiple Alibaba Cloud accounts. For example, you can use Alibaba Cloud Account A to create an alert monitoring rule and use the rule to monitor data in the Logstores and Metricstores of Alibaba Cloud Account B. To assign a custom role to Simple Log Service, perform the following steps.
Before you perform the following steps, you must create a RAM role. For more information, see Step 1: Create a RAM role.
Use Alibaba Cloud Account B to log on to the RAM console.
Create a policy to manage alerts.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.
Parameter
Description
Policy Name
The name of the policy, for example, sls-alert-monitor-2-policy.
Configuration Mode
Select Script.
Policy Document
The content of the policy. Replace the content in the editor with the following script. Replace Project name with the name of the project in which you want to create an alert monitoring rule.
You can modify the policy to perform fine-grained access control. For example, if you want to authorize the role to create alert monitoring rules in only one project, you can specify the project in the Resource element of the following policy, for example,
acs:log:*:*:project/my-project.{ "Statement": [ { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:*" ] }, { "Action": [ "log:ListLogStores", "log:GetLogStoreLogs", "log:GetIndex" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:project/Project name/*" ] } ], "Version": "1" }Click OK.
Attach the policy to the RAM role.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role and click Add Permissions in the Actions column.
On the Custom Policy tab, select the policy that you created in Step 2. Then, click OK. In this example, the policy is sls-alert-monitor-2-policy.
Confirm the authorization result and click Complete.
On the Roles page, click the name of the RAM role.
On the page that appears, click the Trust Policy Management tab. Then, click Edit Trust Policy.
Add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to obtain a temporary token to monitor the data in the Logstores and Metricstores of Alibaba Cloud Account B.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }
In the Basic Information section of the details page of the RAM role, obtain the ARN.
After you complete the authorization, you can use the ARN of the RAM role when you create an alert monitoring rule. For more information, see Create an alert rule for logs.