This topic describes how to use custom policies to grant permissions to a RAM user.

Notice
  • Logstores that are displayed in a policy include Logstores and Metricstores. If you want to manage Metricstores, the following policies also apply.
  • To ensure data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. You must grant RAM users the read-only permissions on the project list before the RAM user can view the projects in the project list. For more information, see Attach system policies to a RAM user and Create a custom policy.

Grant permissions to a RAM user in the RAM console

  • The read-only permissions on projects
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on the projects that are specified by the Alibaba Cloud account
    Note If you grant a RAM user the read-only permissions on a project, the RAM user cannot view the logs in the project. You must also grant the read-only permissions on specific Logstores in the project.
    Use the following policy:
    {
       "Version": "1",
       "Statement": [
         {
           "Action": ["log:ListProject"],
           "Resource": ["acs:log:*:*:project/*"],
           "Effect": "Allow"
          },
         {
           "Action": [
             "log:Get*",
             "log:List*"
           ],
           "Resource": "acs:log:*:*:project/<Project name>/*",
           "Effect": "Allow"
         }
       ]
     }
  • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/dashboard",
            "acs:log:*:*:project/<Project name>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*",
            "log:Create*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/savedsearch",
            "acs:log:*:*:project/<Project name>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in a project
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in the project to which the Logstore belongs
    Use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject"
          ],
          "Resource": "acs:log:*:*:project/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/dashboard",
            "acs:log:*:*:project/<Project name>/dashboard/*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:Get*",
            "log:List*"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/savedsearch",
            "acs:log:*:*:project/<Project name>/savedsearch/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

Use API operations to grant permissions to a RAM user

  • The permissions to write data to a specified project
    To grant a RAM user only the permissions to write data to a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to write data to a specified Logstore

    To grant a RAM user only the permissions to write data to a specified Logstore, use the following policy:

    {
      "Version":"1",
      "Statement":[
        {
          "Effect":"Allow",
          "Action":[
            "log:PostLogStoreLogs"
          ],
          "Resource":[
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
          ]
        }
      ]
    }
  • The permissions to consume data from a specified project
    To grant a RAM user only the permissions to consume data from a specified project, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": "acs:log:*:*:project/<Project name>/*",
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to consume data from a specified Logstore
    To grant a RAM user only the permissions to consume data from a specified Logstore, use the following policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • The permissions to specify encryption configurations for a specified Logstore
    If you attach the following policy to a RAM user, the RAM user must specify encryption configurations when the RAM user creates or modifies a Logstore. If you do not attach the policy to the RAM user, the RAM user does not need to specify encryption configurations when the RAM user creates or modifies a Logstore.
    Note You can specify the exact names of projects or Logstores in the policy or use asterisks (*) to support fuzzy match.
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "log:CreateLogStore",
            "log:UpdateLogStore"
          ],
          "Resource": [
            "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
            "acs:log:*:*:project/<Project name>/logstore/*"
          ],
          "Condition": {
            "Bool": {
              "log:Encrypted": "true"
            }
          }
        }
      ]
    }

References

For more information, see the following topics: