This topic describes how to grant the operation permissions on CloudLens for RDS to
a RAM user.
Background information
You can grant the operation permissions on CloudLens for RDS to a RAM user in one
of the following modes:
- Simple mode: You can grant all permissions on Log Service to the RAM user. You do
not need to configure parameters.
- Custom mode: You can create custom policies and attach the policies to the RAM user.
This mode allows you to perform fine-grained access control. However, the configurations
in this mode are complex.
Simple mode
Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogFullAccess and AliyunRAMFullAccess
policies to the RAM user. This way, the RAM user has all permissions on Log Service.
For more information, see Grant permissions to a RAM user.
Custom mode
- Log on to the RAM console by using your Alibaba Cloud account.
- Create a policy.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab, replace the existing script in the text editor with one of the following scripts,
and then click Next Step.
You can grant the RAM user the read-only permissions or read and write permissions
on CloudLens for RDS.
- Read-only permissions: Use the following script to authorize the RAM user only to
view each page of CloudLens for RDS.
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeSqlLogInstances",
"rds:DisableSqlLogDistribution"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"log:CreateLogStore",
"log:CreateIndex",
"log:UpdateIndex",
"log:ListLogStores",
"log:GetLogStore",
"log:GetLogStoreLogs",
"log:CreateDashboard",
"log:CreateChart",
"log:UpdateDashboard"
],
"Resource": [
"acs:log:*:*:project/sls-alert-*/logstore/*",
"acs:log:*:*:project/sls-alert-*/dashboard/*"
]
},
{
"Effect": "Allow",
"Action": [
"log:CreateProject"
],
"Resource": [
"acs:log:*:*:project/sls-alert-*"
]
},
{
"Effect": "Allow",
"Action": [
"log:GetLogStore",
"log:ListLogStores",
"log:GetIndex",
"log:GetLogStoreHistogram",
"log:GetLogStoreLogs",
"log:GetDashboard",
"log:ListDashboard",
"log:ListSavedSearch",
"log:GetProjectLogs"
],
"Resource": [
"acs:log:*:*:project/*/logstore/*",
"acs:log:*:*:project/*/dashboard/*",
"acs:log:*:*:project/*/savedsearch/*"
]
},
{
"Action": [
"ram:GetRole"
],
"Resource": "acs:ram:*:*:role/aliyunlogarchiverole",
"Effect": "Allow"
}
]
}
- Read and write permissions: Use the following script to authorize the RAM user to
perform all operations that are supported by CloudLens for RDS.
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeSqlLogInstances",
"rds:DisableSqlLogDistribution",
"rds:DisableSqlLogDistribution",
"rds:EnableSqlLogDistribution",
"rds:ModifySQLCollectorPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"log:CreateLogStore",
"log:CreateIndex",
"log:UpdateIndex",
"log:ListLogStores",
"log:GetLogStore",
"log:GetLogStoreLogs",
"log:CreateDashboard",
"log:CreateChart",
"log:UpdateDashboard"
],
"Resource": [
"acs:log:*:*:project/sls-alert-*/logstore/*",
"acs:log:*:*:project/sls-alert-*/dashboard/*"
]
},
{
"Effect": "Allow",
"Action": [
"log:CreateProject"
],
"Resource": [
"acs:log:*:*:project/sls-alert-*"
]
},
{
"Effect": "Allow",
"Action": [
"log:GetLogStore",
"log:ListLogStores",
"log:GetIndex",
"log:GetLogStoreHistogram",
"log:GetLogStoreLogs",
"log:GetDashboard",
"log:ListDashboard",
"log:ListSavedSearch",
"log:CreateLogStore",
"log:CreateIndex",
"log:UpdateIndex",
"log:ListLogStores",
"log:GetLogStore",
"log:GetLogStoreLogs",
"log:CreateDashboard",
"log:CreateChart",
"log:UpdateDashboard",
"log:UpdateLogStore",
"log:GetProjectLogs"
],
"Resource": [
"acs:log:*:*:project/*/logstore/*",
"acs:log:*:*:project/*/dashboard/*",
"acs:log:*:*:project/*/savedsearch/*"
]
},
{
"Action": [
"log:SetGeneralDataAccessConfig"
],
"Resource": [
"acs:log:*:*:resource/sls.general_data_access.rds.global_conf.single_account_channel/record"
],
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "audit.log.aliyuncs.com"
}
}
},
{
"Action": [
"ram:*"
],
"Resource": [
"acs:ram:*:*:role/aliyunlogarchiverole",
"acs:ram:*:*:policy/AliyunLogArchiveRolePolicy"
],
"Effect": "Allow"
}
]
}
- Configure the Name parameter and click OK.
In this example, set the Name parameter to log-rds-policy.
- Attach the policy to the RAM user.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the policy and click
Add Permissions in the Actions column.
- In the Select Policy section of the Add Permissions panel, click Custom Policy. Then, click the policy that you created in Step 2.
- Click OK.