AliyunServiceRolePolicyForSLSFullObserverbility is the authorization policy dedicated to a service-linked role. The policy is automatically attached to a service role when the service role is created. Then, the service-linked role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service-linked role.
Policy details
Type: service system policy
Creation time: 13:56:15 on October 09, 2025
Update time: 13:56:15 on October 09, 2025
Current version: v1
Policy content
{
"Version": "1",
"Statement": [
{
"Action": [
"log:Get*",
"log:List*",
"log:CreateProject",
"log:CreateLogstore",
"log:CreateIndex",
"log:CreateDashboard",
"log:CreateJob",
"log:UpdateConfig",
"log:UpdateJob",
"log:UpdateDashboard",
"log:UpdateIndex",
"log:DeleteLogstore",
"log:DeleteDashboard",
"log:DeleteJob",
"log:DeleteIndex",
"log:DeleteConfig",
"log:PostProjectQuery",
"log:PutProjectQuery",
"log:DeleteProjectQuery",
"log:GetProjectQuery",
"log:PostLogStoreLogs",
"log:BatchPostLogStoreLogs",
"log:CreateConsumerGroup",
"log:UpdateConsumerGroup",
"log:DeleteConsumerGroup",
"log:ListConsumerGroup",
"log:ConsumerGroupUpdateCheckPoint",
"log:ConsumerGroupHeartBeat",
"log:GetConsumerGroupCheckPoint"
],
"Resource": "acs:log:*:*:project/*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetDataExpression",
"log:CreateDataExpression",
"log:UpdateDataExpression"
],
"Resource": "acs:log:*:*:dataexpression/sls_default_data_expression/*",
"Effect": "Allow"
},
{
"Action": [
"log:Get*"
],
"Resource": [
"acs:log:*:*:mlservice/sls_builtin_service_*/*"
],
"Effect": "Allow"
},
{
"Action": [
"log:CreateAnnotationDataSet",
"log:DeleteAnnotationDataSet",
"log:GetAnnotationDataSet",
"log:ListAnnotationDataSets",
"log:UpdateAnnotationDataSet",
"log:CreateAnnotationLabel",
"log:DeleteAnnotationLabel",
"log:GetAnnotationLabel",
"log:UpdateAnnotationLabel",
"log:ListAnnotationLabels",
"log:DeleteAnnotationData",
"log:GetAnnotationData",
"log:ListAnnotationData",
"log:PutAnnotationData"
],
"Resource": [
"acs:log:*:*:mlannotationdataset/*",
"acs:log:*:*:mlannotationlabel/*"
],
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "fullobserverbility.log.aliyuncs.com"
}
}
}
]
}