Before you access the resources of other cloud services, you must grant the required permissions to Log Service by using the AliyunServiceRoleForSLSAlert service-linked role. This topic describes the scenarios and policy of the AliyunServiceRoleForSLSAlert service-linked role.

Scenarios

You can use the AliyunServiceRoleForSLSAlert service-linked role in the following scenarios:
  • View alert details and manage alerts based on alert notifications without the need to log on to the Log Service console.

    For example, after you receive an alert notification from a DingTalk chatbot, you can click the link in the notification to view the alert details and manage alerts. You do not need to log on to the Log Service console by using your PC.

  • Integrate the alerting feature with other cloud services.

    For example, when you create an action group, you can select a cloud service such as Function Compute or EventBridge as a notification method.

To collect the required information, Log Service must assume the AliyunServiceRoleForSLSAlert service-linked role to obtain the required permissions to read and modify the resources of the cloud services. For more information, see Service-linked roles.

Description

  • Role name: AliyunServiceRoleForSLSAlert
  • Policy attached to the role: AliyunServiceRolePolicyForSLSAlert
  • Policy document:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "log:GetJob",
                    "log:UpdateJob",
                    "log:GetResource",
                    "log:ListResources",
                    "log:GetResourceRecord",
                    "log:ListResourceRecords",
                    "log:UpdateResourceRecords"
                ],
                "Resource": [
                    "acs:log:*:*:project/*"
                ],
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:GetLogStoreLogs"
                ],
                "Resource": "acs:log:*:*:project/sls-alert-*"
            },
            {
                "Action": [
                    "eventbridge:PutEvents"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "fc:InvokeFunction"
                ],
                "Resource": "acs:fc:*:*:services/*/functions/sls-ops-*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "alert.log.aliyuncs.com"
                    }
                }
            }
        ]
    }