This topic describes how to create a RAM role whose trusted entity is an Alibaba Cloud service and authorize the RAM role to access Log Service resources. This type of RAM role is used to authorize access across Alibaba Cloud services.

Step 1: Create a RAM role

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Select Role Type step, select Alibaba Cloud Service in the Trusted entity type section and click Next.
  5. In the Configure Role step, set the parameters and click OK. The following table describes the parameters.
    Parameter Description
    Role Type Select Normal Service Role.
    RAM Role Name Enter the name of the RAM role, for example, aliyunlogreadrole.
    Note Enter the description of the RAM role.
    Select Trusted Service Select Log Service from the drop-down list.
  6. In the Finish step, click Close.

Step 2: Grant permissions to the RAM role

After you create a RAM role, the RAM role does not have permissions. Before Log Service assumes the RAM role to perform operations, you must attach the required system policies or custom policies to the RAM role. Resource Access Management (RAM) provides the following two system policies for Log Service:
  • AliyunLogFullAccess: the permissions to manage all Log Service resources.
  • AliyunLogReadOnlyAccess: the read-only permissions on all Log Service resources.

If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create a custom policy. For information about the examples of policies, see Use custom policies to grant permissions to a RAM user and Overview.

To attach the AliyunLogReadOnlyAccess policy to a RAM role, perform the following steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, select the AliyunLogReadOnlyAccess policy and click OK.
  5. Confirm the authorization result and click Complete.