Overview - Log Service - Alibaba Cloud Documentation Center

This topic describes how to access Log Service resources of an Alibaba Cloud account as a RAM user. You can access these resources only after you grant the RAM user the required permissions by using Resource Access Management (RAM).

Background information

You can create projects, Logstores, Logtail configuration files, and machine groups in Log Service. By default, you have full permissions on these resources. You can use the resources by calling the relevant API operations.

However, if you use your Alibaba Cloud account to create a RAM user, the RAM user has no permission to use your resources. To allow the RAM user to use your resources, you must grant the required permissions to the RAM user.

Note For more information about how to authorize a RAM user to access Log Service resources, see Assign a RAM role to an Alibaba Cloud account and Overview of RAM.

If you do not need to grant other users the permission to access Log Service resources of your Alibaba Cloud account, you can skip this section.

RAM policies

You can attach the following policies to a RAM user. Then, the RAM user has the corresponding permissions on your Log Service resources.

AliyunLogFullAccess
If you attach this policy to a RAM user, the RAM user has full permissions to access Log Service resources of your Alibaba Cloud account. The following example shows the policy:
```
  {
    "Version": "1",
    "Statement": [
      {
        "Action": "log:*",
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  }
```
AliyunLogReadOnlyAccess
If you attach this policy to a RAM user, the RAM user has the read-only permissions to access Log Service resources of your Alibaba Cloud account. The following example shows the policy:
```
 {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "log:Get*",
          "log:List*"
        ],
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  }
```

Upload data to a specified Logstore

If you attach this policy to a RAM user, the RAM user has the permissions to upload data to a specified Logstore by using the API operations and SDKs. The following example shows the policy:

  {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "log:Post*",
          "log:BatchPost*"
        ],
        "Resource": ["acs:log:*:*:project/<The name of the specified project>/logstore/<The name of the specified Logstore>"],
        "Effect": "Allow"
      }
    ]
  }

Query the data of a specified Logstore in the console

If you attach this policy to a RAM user, the RAM user has the read-only permissions to query the data of a specified Logstore in the console. The permissions include query logs, pull logs, and view the Logstore list. The following example shows the policy:

  {
    "Version": "1",
    "Statement": [
      {
        "Action": ["log:List*"],
        "Resource": ["acs:log:*:*:project/<The name of the specified project>/*"],
        "Effect": "Allow"
      },
      {
        "Action": ["log:Get*"],
        "Resource": ["acs:log:*:*:project/<The name of the specified project>/logstore/<The name of the specified Logstore>"],
        "Effect": "Allow"
      }
    ]
  }

Log Service:Overview

Background information

RAM policies

References: