This topic describes how to authorize a Resource Access Management (RAM) user to use the access log feature of Classic Load Balancer (CLB) with your Alibaba Cloud account. To use the access log feature, RAM users must acquire the required permissions.

Prerequisites

The access log feature is enabled for the Alibaba Cloud account. For more information, see Enable the access log management feature.

Procedure

  1. Perform the following operations to create a policy:
    1. Log on to the RAM console with the Alibaba Cloud account.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. On the Policies page, click Create Policy.
    4. On the Create Policy page, click the JSON tab.
      You can also create a policy on the Visual Editor Beta tab. For more information, see Create a custom policy on the Visual Editor Beta tab.
    5. On the JSON tab, enter the following code and click Next Step:
      {
      "Statement": [
       {
         "Action": [
           "slb:Create*",
           "slb:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/logstore/*"
       },
       {
         "Action": [
           "log:Create*",
           "log:List*",
           "log:Get*",
           "log:Update*"
         ],
         "Effect": "Allow",
         "Resource": "acs:log:*:*:project/*/dashboard/*"
       },
       {
         "Action": "cms:QueryMetric*",
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "slb:Describe*",
           "slb:DeleteAccessLogsDownloadAttribute",
           "slb:SetAccessLogsDownloadAttribute",
           "slb:DescribeAccessLogsDownloadAttribute"
         ],
         "Resource": "*",
         "Effect": "Allow"
       },
       {
         "Action": [
           "ram:Get*",
           "ram:ListRoles"
         ],
         "Effect": "Allow",
         "Resource": "*"
       }
      ],
      "Version": "1"
      }
    6. Specify the Name and Note parameters, and then click OK. For example, you can use the name SlbAccessLogPolicySet.
  2. Perform the following operations to authorize a RAM user:
    1. In the left-side navigation pane of the RAM console, choose Permissions > Grants and click Grant Permission.
    2. On the Grant Permission page, specify the Authorized Scope parameter.
      Grant permissions
      • Alibaba Cloud Account: The permissions take effect on all resources in the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect on resources in a specified resource group.
    3. On the Grant Permission page specify Principal.
      Note You can attach a maximum of five policies to a RAM user at the same time. If you want to attach more than five policies to a RAM user, repeat the required operations.
    4. Select the policy that you want to attach to the RAM user from the Authorization Policy Name list and click OK.
    5. Return to the Grants page and check whether the policy is attached to the RAM user. After the policy is attached to the RAM user, the RAM user can use the access log feature of CLB.